Learn more about assigned access: - - - [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). - - - [Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4). - - - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3). - - -### Supported configuration types - -[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)] - -## Set up Microsoft Edge kiosk mode - -Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode: - -- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. - -- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). - - -### Prerequisites - -- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). - -- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page. - -- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge: - - ``` - Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge - ``` - - -### Use Windows Settings - -Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. - - -1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**. - -2. On the **Set up a kiosk** page, click **Get started**. - -3. Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**. - -4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**. - -5. Select how Microsoft Edge displays when running in kiosk mode: - - - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data. - - - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data. - -6. Select **Next**. - -7. Type the URL to load when the kiosk launches. - -8. Accept the default value of **5 minutes** for the idle time or provide a value of your own. - -9. Click **Next**. - -10. Close the **Settings** window to save and apply your choices. - -11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration. - -**_Congratulations!_**
You’ve just finished setting up a single-app kiosk device using Windows Settings. - -**_What's next?_** - -- User your new kiosk device.
- OR
-- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**. - ---- - - -### Use Microsoft Intune or other MDM service - -With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add). - ->[!IMPORTANT] ->If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. - -1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. - -2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device. - - | | | - |---|---| - | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**
 | Configure the display mode for Microsoft Edge as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
- **Single-app kiosk experience**
- **0** - Digital signage and interactive display
- **1** - InPrivate Public browsing
- **Multi-app kiosk experience**
- **0** - Normal Microsoft Edge running in assigned access
- **1** - InPrivate public browsing with other apps
 | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
- **0** - No idle timer
- **1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set one or more start pages, URLs, to load when Microsoft Edge launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example,  | Configure how the Home Button behaves. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton **Data type:** Integer **Allowed values:**  | If you set ConfigureHomeButton to 2, configure the home button URL. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.bing.com |
- | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**  | Set a custom URL for the New Tab page. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.msn.com |
-
-
-**_Congratulations!_** You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
-
-**_What's next?_** Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge kiosk mode.
-
----
-
-
-## Supported policies for kiosk mode
-
-Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
-
-Make sure to check with your provider for instructions.
-
-| **MDM Setting** | **Digital /
-*1) For multi-app assigned access, you must configure Internet Explorer 11.*
-  = Not applicable or not supported *\*For Microsoft Edge kiosk mode use* Windows Defender Firewall. Microsoft kiosk browser has custom policy support. |  |
-| Configure Home Button |  |  |
-| Set Start page(s) URL |  |  *Same as Home button URL* |
-| Set New Tab page URL |  |  |
-| Favorites management |  |  |
-| End session button |  |  *In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* |
-| Reset on inactivity |  |  |
-| Internet Explorer integration (Enterprise Mode site list) |  *Multi-app mode only* |  |
-| Available in Microsoft Store |  |  |
-| SKU availability | Windows 10 October 2018 Update
-To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide).
-
----
-
-## Provide feedback or get support
-
-To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
-
-**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
-
-
-
+---
+title: Deploy Microsoft Edge kiosk mode
+description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access.
+ms.assetid:
+ms.reviewer:
+audience: itpro
+manager: dansimp
+author: eavena
+ms.author: eravena
+ms.prod: edge
+ms.sitesec: library
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 10/29/2018
+---
+
+# Deploy Microsoft Edge kiosk mode
+
+>Applies to: Microsoft Edge on Windows 10, version 1809
+>Professional, Enterprise, and Education
+
+In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode.
+
+In this topic, you learn how to configure the behavior of Microsoft Edge when it's running in kiosk mode with assigned access. You also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or other MDM service.
+
+At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support.
+
+
+## Kiosk mode configuration types
+
+>**Policy** = Configure kiosk mode (ConfigureKioskMode)
+
+Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
+
+- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image)
+
+ - [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage)
+
+ - [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps).
+
+- Learn about configuring a more secure kiosk experience: [Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down).
+
+
+### Important things to remember before getting started
+
+- The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks.
+
+- Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own.
+
+- Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more.
+
+- No matter which configuration type you choose, you must set up Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode). Learn more about assigned access:
+
+ - [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw).
+
+ - [Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4).
+
+ - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3).
+
+
+### Supported configuration types
+
+[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)]
+
+## Set up Microsoft Edge kiosk mode
+
+Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode:
+
+- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service.
+
+- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).
+
+
+### Prerequisites
+
+- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
+
+- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page.
+
+- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge:
+
+ ```
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
+ ```
+
+
+### Use Windows Settings
+
+Windows Settings is the simplest and the only way to set up one or a couple of single-app devices.
+
+
+1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**.
+
+2. On the **Set up a kiosk** page, click **Get started**.
+
+3. Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**.
+
+4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**.
+
+5. Select how Microsoft Edge displays when running in kiosk mode:
+
+ - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.
+
+ - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data.
+
+6. Select **Next**.
+
+7. Type the URL to load when the kiosk launches.
+
+8. Accept the default value of **5 minutes** for the idle time or provide a value of your own.
+
+9. Click **Next**.
+
+10. Close the **Settings** window to save and apply your choices.
+
+11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration.
+
+**_Congratulations!_** You’ve just finished setting up a single-app kiosk device using Windows Settings.
+
+**_What's next?_**
+
+- User your new kiosk device.
+ OR
+- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
+
+---
+
+
+### Use Microsoft Intune or other MDM service
+
+With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
+
+>[!IMPORTANT]
+>If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
+
+1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
+
+2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device.
+
+ | | |
+ |---|---|
+ | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**  | Configure the display mode for Microsoft Edge as a kiosk app. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode **Data type:** Integer **Allowed values:**  | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout **Data type:** Integer **Allowed values:**  | Set one or more start pages, URLs, to load when Microsoft Edge launches. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages **Data type:** String **Allowed values:** Enter one or more URLs, for example,  | Configure how the Home Button behaves. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton **Data type:** Integer **Allowed values:**  | If you set ConfigureHomeButton to 2, configure the home button URL. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.bing.com |
+ | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**  | Set a custom URL for the New Tab page. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.msn.com |
+
+
+**_Congratulations!_** You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
+
+**_What's next?_** Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge kiosk mode.
+
+---
+
+
+## Supported policies for kiosk mode
+
+Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
+
+Make sure to check with your provider for instructions.
+
+| **MDM Setting** | **Digital /
+*1) For multi-app assigned access, you must configure Internet Explorer 11.*
+  = Not applicable or not supported *\*For Microsoft Edge kiosk mode use* Windows Defender Firewall. Microsoft kiosk browser has custom policy support. |  |
+| Configure Home Button |  |  |
+| Set Start page(s) URL |  |  *Same as Home button URL* |
+| Set New Tab page URL |  |  |
+| Favorites management |  |  |
+| End session button |  |  *In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* |
+| Reset on inactivity |  |  |
+| Internet Explorer integration (Enterprise Mode site list) |  *Multi-app mode only* |  |
+| Available in Microsoft Store |  |  |
+| SKU availability | Windows 10 October 2018 Update
+To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide).
+
+---
+
+## Provide feedback or get support
+
+To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+
+**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+
+
+
diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md
index ba351d8b48..5cd394e473 100644
--- a/browsers/edge/troubleshooting-microsoft-edge.md
+++ b/browsers/edge/troubleshooting-microsoft-edge.md
@@ -34,4 +34,4 @@ If you want to deliver applications to users via Citrix through Microsoft Edge,
## Missing SettingSync.admx and SettingSync.adml files
-Make sure to [download](https://www.microsoft.com/en-us/download/windows.aspx) the latest templates to C:\windows\policydefinitions\.
+Make sure to [download](https://www.microsoft.com/download/windows.aspx) the latest templates to C:\windows\policydefinitions\.
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
index c90d6b1c59..15560fccc7 100644
--- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
@@ -171,13 +171,13 @@ You can determine which zones or domains are used for data collection, using Pow
**To set up data collection using a domain allow list**
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
>**Important** 250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB
-
->**Important**
--OR-
-- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-
-### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
-You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
-
->**Important** 0 – Restricted Sites zone **Example 1:** Include only the Local Intranet zone Binary representation: *00010*, based on: 0 – Restricted Sites zone **Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones Binary representation: *10110*, based on: 1 – Restricted Sites zone microsoft.sharepoint.com
--OR-
-- Collect your hardware inventory using the MOF Editor with a .MOF import file.
--OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-
-### Collect your hardware inventory using the MOF Editor while connected to a client device
-You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
- 
-
-2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
-
-3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
-
- 
-
-4. Select the check boxes next to the following classes, and then click **OK**:
-
- - IESystemInfo
-
- - IEURLInfo
-
- - IECountInfo
-
-5. Click **OK** to close the default windows. 250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB
+
+>**Important**
+-OR-
+- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR-
+- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+
+### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
+You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
+
+>**Important** 0 – Restricted Sites zone **Example 1:** Include only the Local Intranet zone Binary representation: *00010*, based on: 0 – Restricted Sites zone **Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones Binary representation: *10110*, based on: 1 – Restricted Sites zone microsoft.sharepoint.com
+-OR-
+- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR-
+- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+
+### Collect your hardware inventory using the MOF Editor while connected to a client device
+You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
+
+ **To collect your inventory**
+
+1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
+
+ 
+
+2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
+
+3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
+
+ 
+
+4. Select the check boxes next to the following classes, and then click **OK**:
+
+ - IESystemInfo
+
+ - IEURLInfo
+
+ - IECountInfo
+
+5. Click **OK** to close the default windows. Example
- Example
- For IPv4 ranges:
--or-
- For IPv6 ranges:
-You can also use the self-closing version, <url="contoso.com" />, which also sets:
- Example
- For IPv4 ranges:
--or-
- For IPv6 ranges:
-Where:
-
- Important
-
- Example
-
-Where:
-
-
- Example
- Example
-
-Replace:
- Example
+ Example
+ For IPv4 ranges:
+-or-
+ For IPv6 ranges:
+You can also use the self-closing version, <url="contoso.com" />, which also sets:
+ Example
+ For IPv4 ranges:
+-or-
+ For IPv6 ranges:
+Where:
+
+ Important
+
+ Example
+
+Where:
+
+
+ Example
+ Example
+
+Replace:
+
-You can also click **Select All** to add, or **Clear All** to remove, all of the features.
-
-2. Click **Next** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page or **Back** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company.
+author: lomayor
+ms.prod: ie11
+ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: lomayor
+title: Use the Feature Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+---
+
+
+# Use the Feature Selection page in the IEAK 11 Wizard
+The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including:
+
+- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics.
+
+- **Internal Install.** Lets you decide to install the latest updates, run the malicious Software Removal Tool, and set IE11 as the default browser.
+
+- **Connection Manager.** Lets you import your Connection Manager Profiles, created by the Connection Manager Administration Kit (CMAK).
+
+- **Browser User Interface.** Lets you change the toolbar buttons, the title bar, and the general look of the browser.
+
+- **Search Providers.** Lets you add, remove, and pick a new default search provider for IE11.
+
+- **Important URLs – Home Page and Support.** Lets you choose multiple **Home** pages that open in different tabs in IE. You can also use this page to change the **Welcome** and **Online Support** pages.
+
+- **Accelerators.** Lets you import, add, edit, or remove Accelerators, the contextual services that give you quick access to external services from any webpage.
+
+- **Favorites, Favorites Bar, and Feeds.** Lets you pick which favorites, web slices, and feeds are installed with your custom installation package.
+
+- **Browsing Options.** Lets you pick how you delete items in the Favorites, Favorites Bar, and Feeds folders, and whether to add the Microsoft default items.
+
+- **Compatibility View.** Lets you decide whether IE renders content using compatibility mode or standards mode.
+
+- **Connections Customization.** Lets you set up and deploy custom connections.
+
+- **Security Zones and Content Ratings.** Lets you control what your employees can view and what’s downloaded to their computer.
+
+- **Programs.** Lets you pick the default program that’s used automatically by email, HTML, newsgroups, Internet calls, calendars, and contact lists.
+
+- **Additional Settings.** Lets you pre-set and lockdown specific functionality on your employee’s computer.
+
+**Note**
+You can also click **Select All** to add, or **Clear All** to remove, all of the features.
+
+2. Click **Next** to go to the [Automatic Version Synchronization](auto-version-sync-ieak11-wizard.md) page or **Back** to go to the [Package Type Selection](pkg-type-selection-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index ea51efa9dc..6dc2619b8b 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -1,13 +1,14 @@
---
ms.mktglfcycl: plan
description: IEAK 11 - Internet Explorer Administration Kit 11 Users Guide
-author: shortpatti
+author: lomayor
+ms.author: lomayor
ms.prod: ie11
ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
ms.sitesec: library
ms.localizationpriority: medium
-ms.date: 07/27/2017
+manager: dansimp
---
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 6cc535e14f..7a6e3d009f 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -1,106 +1,107 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: plan
-description: Learn about the version of the IEAK 11 you should run, based on your license agreement.
-author: lomayor
-ms.author: lomayor
-ms.prod: ie11, ieak11
-ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
-ms.reviewer:
-audience: itpro
manager: dansimp
-title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/23/2018
----
-
-
-# Determine the licensing version and features to use in IEAK 11
-In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
-
-During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
-
-- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
- >[!IMPORTANT]
- >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
-
-- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
-
-## Available features by version
-
-| Feature | Internal | External |
-|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
-| Welcome screen |  |  |
-| File locations |  |  |
-| Platform selection |  |  |
-| Language selection |  |  |
-| Package type selection |  |  |
-| Feature selection |  |  |
-| Automatic Version Synchronization (AVS) |  |  |
-| Custom components |  |  |
-| Internal install |  |  |
-| User experience |  |  |
-| Browser user interface |  |  |
-| Search providers |  |  |
-| Important URLs – Home page and support |  |  |
-| Accelerators |  |  |
-| Favorites, Favorites bar, and feeds |  |  |
-| Browsing options |  |  |
-| First Run wizard and Welcome page options |  |  |
-| Connection manager |  |  |
-| Connection settings |  |  |
-| Automatic configuration |  |  |
-| Proxy settings |  |  |
-| Security and privacy settings |  |  |
-| Add a root certificate |  |  |
-| Programs |  |  |
-| Additional settings |  |  |
-| Wizard complete |  |  |
-
----
-
-
-## Customization guidelines
-
-Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-
-- **External Distribution**
- This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
-
-- **Internal Distribution**
- This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
-
-The table below identifies which customizations you may or may not perform based on the mode you selected.
-
-| **Feature Name** | **External Distribution** | **Internal Distribution** |
-|---------------------------------|:--------------------:|:-------------------:|
-| **Custom Components** | Yes | Yes |
-| **Title Bar** | Yes | Yes |
-| **Favorites** | One folder, containing any number of links. | Any number of folders/links. |
-| **Search Provider URLs** | Yes | Yes |
-| **Search Guide URL** | No | Yes |
-| **Online Support URL** | Yes | Yes |
-| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. |
-| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. |
-| **Homepage URLs** | Can add a maximum of three. | Unlimited. |
-| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. |
-| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. |
-| **Browsing Options** | No | Yes |
-| **Security and Privacy Settings** | No | Can add any number of sites. |
-| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes |
-| **User Experience** (Setup/Restart) | No | Yes |
-| **User Agent String** | Yes | Yes |
-| **Compatibility View** | Yes | Yes |
-| **Connection Settings and Manage** | Yes | Yes |
-
-
-Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options).
-
-## Distribution guidelines
-
-Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-
-- **External Distribution**
- You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
-
-- **Internal Distribution - corporate intranet**
- The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: plan
+description: Learn about the version of the IEAK 11 you should run, based on your license agreement.
+author: lomayor
+ms.author: lomayor
+ms.prod: ie11
+ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
+ms.reviewer:
+audience: itpro
+manager: dansimp
+title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 10/23/2018
+---
+
+
+# Determine the licensing version and features to use in IEAK 11
+In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
+
+During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
+
+- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
+ >[!IMPORTANT]
+ >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
+
+- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
+
+## Available features by version
+
+| Feature | Internal | External |
+|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
+| Welcome screen |  |  |
+| File locations |  |  |
+| Platform selection |  |  |
+| Language selection |  |  |
+| Package type selection |  |  |
+| Feature selection |  |  |
+| Automatic Version Synchronization (AVS) |  |  |
+| Custom components |  |  |
+| Internal install |  |  |
+| User experience |  |  |
+| Browser user interface |  |  |
+| Search providers |  |  |
+| Important URLs – Home page and support |  |  |
+| Accelerators |  |  |
+| Favorites, Favorites bar, and feeds |  |  |
+| Browsing options |  |  |
+| First Run wizard and Welcome page options |  |  |
+| Connection manager |  |  |
+| Connection settings |  |  |
+| Automatic configuration |  |  |
+| Proxy settings |  |  |
+| Security and privacy settings |  |  |
+| Add a root certificate |  |  |
+| Programs |  |  |
+| Additional settings |  |  |
+| Wizard complete |  |  |
+
+---
+
+
+## Customization guidelines
+
+Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
+
+- **External Distribution**
+ This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
+
+- **Internal Distribution**
+ This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
+
+The table below identifies which customizations you may or may not perform based on the mode you selected.
+
+| **Feature Name** | **External Distribution** | **Internal Distribution** |
+|---------------------------------|:--------------------:|:-------------------:|
+| **Custom Components** | Yes | Yes |
+| **Title Bar** | Yes | Yes |
+| **Favorites** | One folder, containing any number of links. | Any number of folders/links. |
+| **Search Provider URLs** | Yes | Yes |
+| **Search Guide URL** | No | Yes |
+| **Online Support URL** | Yes | Yes |
+| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. |
+| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. |
+| **Homepage URLs** | Can add a maximum of three. | Unlimited. |
+| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. |
+| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. |
+| **Browsing Options** | No | Yes |
+| **Security and Privacy Settings** | No | Can add any number of sites. |
+| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes |
+| **User Experience** (Setup/Restart) | No | Yes |
+| **User Agent String** | Yes | Yes |
+| **Compatibility View** | Yes | Yes |
+| **Connection Settings and Manage** | Yes | Yes |
+
+
+Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options).
+
+## Distribution guidelines
+
+Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
+
+- **External Distribution**
+ You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
+
+- **Internal Distribution - corporate intranet**
+ The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index efbae636fc..a3c0045275 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -1,35 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
-author: lomayor
-ms.prod: ie11
-ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Platform Selection page in the IEAK 11 Wizard
-The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
-
-**To use the Platform Selection page**
-
-1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.
-You must create individual packages for each supported operating system.
-**Note**
+You must create individual packages for each supported operating system.
+**Note** -OR-
-
- - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings. **Note** -OR-
+
+ - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings. **Note** Now, with the introduction of HoloLens 2, every device provides commercial ready management enhanced by the reliability, security, and scalability of cloud and AI services from Microsoft. To learn more about HoloLens 2 for developers, check out the mixed reality developer documentation. Surface Hub 2S deployment checklist Deploy with provisioning package Surface Hub 2S adoption and training Dive right into the step-by-step process for the easiest deployment path to M365 EDU. We walk you through setting up cloud infrastructure, configuring and managing devices, and migrating on-premise servers for Sharepoint and Exchange to the cloud. Learn the easiest path to deploy Microsoft 365 Education through our step-by-step process. We walk you through cloud deployment, device management,apps set up and configuration, and how to find deployment assistance. Windows 10 editions for education customers Compare each Windows edition Get Windows 10 Education or Windows 10 Pro Education Compare each Windows edition Get Windows 10 Education or Windows 10 Pro Education Windows Server Features .NET Framework 4.5 features: .NET Framework 4.5 .NET Framework 4.5 or 4.6 Windows Server 2016 - .NET Framework 4.6 is already installed for these versions of Windows Server, but you must enable it. Windows Server 2012 or Windows Server 2012 R2 - .NET Framework 4.5 is already installed for these versions of Windows Server, but you must enable it. Windows Server 2008 R2 - .NET Framework 4.5 is not included with Windows Server 2008 R2, so you must download Microsoft .NET Framework 4.5 and install it separately. WCF Activation HTTP Activation Non-HTTP Activation Non-HTTP Activation (Only for Windows Server 2008, 2012, and 2012 R2) TCP Activation Microsoft SQL Server 2016 Standard, Enterprise, or Datacenter SP1 64-bit 64-bit Microsoft SQL Server 2014 Standard, Enterprise, or Datacenter Policy Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned. For CodeIntegrity/Policy, you can use the certutil -encode command line tool to encode the data to base-64. Here is a sample certutil invocation: An alternative to using certutil would be to use the following PowerShell invocation: If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy. Data type is string. Supported operations are Get, Add, Delete, and Replace. For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace. For CodeIntegrity/Policy, data type is Base64. Supported operations are Get, Add, Delete, and Replace.
EnforcementMode Defines the root node for the BitLocker configuration service provider. Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU. Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on. Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on. If you want to disable this policy use the following SyncML: Data type is integer. Supported operations are Add, Get, Replace, and Delete. Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption. Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on. If you want to disable this policy use the following SyncML: Data type is integer. Supported operations are Add, Get, Replace, and Delete. Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". ADMX Info: This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511. If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script. Sample value for this node to enable this policy and set the encryption methods is: EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. The possible values for 'xx' are: If you want to disable this policy use the following SyncML: Data type is string. Supported operations are Add, Get, Replace, and Delete. This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup". ADMX Info: This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker. If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. If you disable or do not configure this setting, users can configure only basic options on computers with a TPM. Sample value for this node to enable this policy is: Data id: The possible values for 'xx' are: The possible values for 'yy' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: Data type is string. Supported operations are Add, Get, Replace, and Delete. This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup". ADMX Info: This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits. If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits. Sample value for this node to enable this policy is: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: Data type is string. Supported operations are Add, Get, Replace, and Delete. This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name). ADMX Info: This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
- If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
- If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. Sample value for this node to enable this policy is: The possible values for 'xx' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: Data type is string. Supported operations are Add, Get, Replace, and Delete. This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). ADMX Info: This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. Sample value for this node to enable this policy is: The possible values for 'xx' are: The possible values for 'yy' are: The possible values for 'zz' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: Data type is string. Supported operations are Add, Get, Replace, and Delete. This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). ADMX Info: This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. Sample value for this node to enable this policy is: The possible values for 'xx' are: The possible values for 'yy' are: The possible values for 'zz' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: Data type is string. Supported operations are Add, Get, Replace, and Delete. This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). ADMX Info: This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. Sample value for this node to enable this policy is: If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML: Data type is string. Supported operations are Add, Get, Replace, and Delete. This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). ADMX Info: This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Sample value for this node to enable this policy is: The possible values for 'xx' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1. The following list shows the supported values: EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) Writes events to a log file sequentially; stops when the file reaches its maximum size. EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. 1 – TRACE_LEVEL_CRITICAL Abnormal exit or termination events 2 – TRACE_LEVEL_ERROR Severe error events 3 – TRACE_LEVEL_WARNING Warning events such as allocation failures 4 – TRACE_LEVEL_INFORMATION Non-error events, such as entry or exit events 5 – TRACE_LEVEL_VERBOSE Detailed information TRUE Provider is enabled in the trace session. FALSE Provider is disables in the trace session. TRUE Channel is enabled. FALSE Channel is disabled. Valid values are:
- - 0 (default) - Both TCP and UDP
- - 1 - TCP
- - 2 - UDP
+- 0 (default) - Both TCP and UDP
+- 1 - TCP
+- 2 - UDP
The data type is int.
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index f12fe88286..0e6b603e24 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -144,6 +144,13 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Added new CSP in Windows 10, version 1903. Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes: Added new CSP in Windows 10, version 1903. Here's a SyncML example.
-``` syntax
- To use a device account from Active Directory
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index e546efa7f6..36f46f9df1 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -37,20 +37,20 @@ The following diagram shows the TPMPolicy configuration service provider in tree
Here is an example:
-``` syntax
- WinPE 5.0 or greater, with the MSXML library Windows Vista, Windows 7, Windows 8, Windows 10 Windows 7, Windows 8, Windows 10 Windows.old directory ScanState.exe /offline:<path to offline.xml> This command-line option enables the offline-migration mode and requires a path to an Offline.xml configuration file. ScanState.exe /offlineWinDir:<Windows directory> This command-line option enables the offline-migration mode and starts the migration from the location specified. It is only for use in WinPE offline scenarios where the migration is occurring from a Windows directory. ScanState.exe /OfflineWinOld:<Windows.old directory> This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory. USMT_WORKING_DIR Full path to a working directory Required when USMT binaries are located on read-only media, which does not support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following: MIG_OFFLINE_PLATFORM_ARCH 32 or 64 While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn’t function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following: WinPE 5.0 or greater, with the MSXML library Windows Vista, Windows 7, Windows 8, Windows 10 Windows 7, Windows 8, Windows 10 Windows.old directory ScanState.exe /offline:<path to offline.xml> This command-line option enables the offline-migration mode and requires a path to an Offline.xml configuration file. ScanState.exe /offlineWinDir:<Windows directory> This command-line option enables the offline-migration mode and starts the migration from the location specified. It is only for use in WinPE offline scenarios where the migration is occurring from a Windows directory. ScanState.exe /OfflineWinOld:<Windows.old directory> This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory. USMT_WORKING_DIR Full path to a working directory Required when USMT binaries are located on read-only media, which does not support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following: MIG_OFFLINE_PLATFORM_ARCH 32 or 64 While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn’t function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following: Config.xml file Operating-system components such as desktop wallpaper and background theme. You can also overload config.xml to include some application and document settings by generating the config.xml file with the other default XML files. For more information, see Customize USMT XML Files and Config.xml File. MigApps.xml file Applications settings. MigUser.xml or MigDocs.xml files User files and profile settings. Custom XML files Application settings, user profile settings, or user files, beyond the rules contained in the other XML files. ScanProgramFiles The ScanProgramFiles argument is valid only when the GenerateDocPatterns function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications. For example, when set to TRUE, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The GenerateDocPatterns function generates this inclusion pattern for .doc files: If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions. False IncludePatterns The IncludePatterns argument determines whether to generate exclude or include patterns in the XML. When this argument is set to TRUE, the GenerateDocPatterns function generates include patterns and the function must be added under the <include> element. Changing this argument to FALSE generates exclude patterns and the function must be added under the <exclude> element. True SystemDrive The SystemDrive argument determines whether to generate patterns for all fixed drives or only for the system drive. Changing this argument to TRUE restricts all patterns to the system drive. False Rule 1 Rule 2 Config.xml file Operating-system components such as desktop wallpaper and background theme. You can also overload config.xml to include some application and document settings by generating the config.xml file with the other default XML files. For more information, see Customize USMT XML Files and Config.xml File. MigApps.xml file Applications settings. MigUser.xml or MigDocs.xml files User files and profile settings. Custom XML files Application settings, user profile settings, or user files, beyond the rules contained in the other XML files. ScanProgramFiles The ScanProgramFiles argument is valid only when the GenerateDocPatterns function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications. For example, when set to TRUE, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The GenerateDocPatterns function generates this inclusion pattern for .doc files: If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions. False IncludePatterns The IncludePatterns argument determines whether to generate exclude or include patterns in the XML. When this argument is set to TRUE, the GenerateDocPatterns function generates include patterns and the function must be added under the <include> element. Changing this argument to FALSE generates exclude patterns and the function must be added under the <exclude> element. True SystemDrive The SystemDrive argument determines whether to generate patterns for all fixed drives or only for the system drive. Changing this argument to TRUE restricts all patterns to the system drive. False Rule 1 Rule 2 errorCode No "any" or "specify system error message here" <errorCode> No "any" or "specify system error message here". If system error messages are not specified, the default behavior applies the parameter to all system error messages. <errorCode> No "any" or "specify system error message here". If system error messages are not specified, the default behavior applies the parameter to all system error messages. From Yes A valid local group on the source machine that contains users selected for migration on the command line. To Yes A local group that the users are to be moved to during the migration. appliesTo Yes nonmigratedUsers, migratedUsers, AllUsers. This value defines which users the change group operation should apply to. errorCode No "any" or "specify system error message here" <errorCode> No "any" or "specify system error message here". If system error messages are not specified, the default behavior applies the parameter to all system error messages. <errorCode> No "any" or "specify system error message here". If system error messages are not specified, the default behavior applies the parameter to all system error messages. From Yes A valid local group on the source machine that contains users selected for migration on the command line. To Yes A local group that the users are to be moved to during the migration. appliesTo Yes nonmigratedUsers, migratedUsers, AllUsers. This value defines which users the change group operation should apply to. Include rule: <pattern type="File">C:\Dir1* []</pattern> Exclude rule: <pattern type="File">C:* [.txt]</pattern> Migrates all files and subfolders in Dir1 (including all .txt files in C:). The <exclude> rule does not affect the migration because the <include> rule is more specific. Include rule: <pattern type="File">C:\Dir1* []</pattern> Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1\Dir2 and its subfolders. Both rules are processed as intended. Include rule: <pattern type="File">C:\Dir1* []</pattern> Exclude rule: <pattern type="File">C:\Dir1\ * [.txt]</pattern> Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1 and its subfolders. Both rules are processed as intended. Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Nothing will be migrated. The rules are equally specific, so the <exclude> rule takes precedence over the <include> rule. Include rule: C:\Dir1* [.txt] Exclude rule: C:\Dir1\Dir2* [] Migrates the .txt files in Dir1 and the .txt files from subfolders other than Dir2. No files are migrated from Dir2 or its subfolders. Both rules are processed as intended. Include rule: C:\Dir1\Dir2* [] Exclude rule: C:\Dir1* [.txt] Migrates all files and subfolders of Dir2, except the .txt files from Dir1 and any subfolders of Dir1 (including Dir2). Both rules are processed as intended. Component 1: Include rule: <pattern type="File">C:\Dir1* []</pattern> Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Component 2: Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Exclude rule: <pattern type="File">C:\Dir1* []</pattern> Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2). Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed. Component 1: Include rule: C:\Dir1\Dir2* [] Component 2: Exclude rule: C:\Dir1* [.txt] Migrates all files and subfolders from Dir2 except the .txt files in C:\Dir1 and its subfolders. Both rules are processed as intended. Component 1: Exclude rule: C:\Dir1\Dir2* [] Component 2: Include rule: C:\Dir1* [.txt] Migrates all .txt files in Dir1 and any subfolders. Component 1 does not contain an <include> rule, so the <exclude> rule is not processed. Include rule: HKLM\Software\Microsoft\Command Processor* [] Exclude Rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Migrates all keys in HKLM\Software\Microsoft\Command Processor except DefaultColor. Both rules are processed as intended. Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Exclude Rule: HKLM\Software\Microsoft\Command Processor* [] Migrates only DefaultColor in HKLM\Software\Microsoft\Command Processor. DefaultColor is migrated because the <include> rule is more specific than the <exclude> rule. Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Exclude rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Does not migrate DefaultColor. The rules are equally specific, so the <exclude> rule takes precedence over the <include> rule. Component 1: Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Exclude rule: HKLM\Software\Microsoft\Command Processor* [] Component 2: Include rule: HKLM\Software\Microsoft\Command Processor* [] Exclude rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor. Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, the objects that were excluded when Component 1 was processed were included when Component 2 was processed. During ScanState, all the files will be added to the store. During LoadState, only C:\Data\SampleA.txt will be restored. During ScanState, all the files will be added to the store. During LoadState, all the files will be restored, overwriting the existing files on the destination computer. During ScanState, all the files will be added to the store. During LoadState, the following will occur: C:\Data\SampleA.txt will be restored. C:\Data\SampleB.txt will be restored, overwriting the existing file on the destination computer. C:\Data\Folder\SampleB.txt will not be restored. Include rule: <pattern type="File">C:\Dir1* []</pattern> Exclude rule: <pattern type="File">C:* [.txt]</pattern> Migrates all files and subfolders in Dir1 (including all .txt files in C:). The <exclude> rule does not affect the migration because the <include> rule is more specific. Include rule: <pattern type="File">C:\Dir1* []</pattern> Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1\Dir2 and its subfolders. Both rules are processed as intended. Include rule: <pattern type="File">C:\Dir1* []</pattern> Exclude rule: <pattern type="File">C:\Dir1\ * [.txt]</pattern> Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1 and its subfolders. Both rules are processed as intended. Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Nothing will be migrated. The rules are equally specific, so the <exclude> rule takes precedence over the <include> rule. Include rule: C:\Dir1* [.txt] Exclude rule: C:\Dir1\Dir2* [] Migrates the .txt files in Dir1 and the .txt files from subfolders other than Dir2. No files are migrated from Dir2 or its subfolders. Both rules are processed as intended. Include rule: C:\Dir1\Dir2* [] Exclude rule: C:\Dir1* [.txt] Migrates all files and subfolders of Dir2, except the .txt files from Dir1 and any subfolders of Dir1 (including Dir2). Both rules are processed as intended. Component 1: Include rule: <pattern type="File">C:\Dir1* []</pattern> Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Component 2: Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern> Exclude rule: <pattern type="File">C:\Dir1* []</pattern> Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2). Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed. Component 1: Include rule: C:\Dir1\Dir2* [] Component 2: Exclude rule: C:\Dir1* [.txt] Migrates all files and subfolders from Dir2 except the .txt files in C:\Dir1 and its subfolders. Both rules are processed as intended. Component 1: Exclude rule: C:\Dir1\Dir2* [] Component 2: Include rule: C:\Dir1* [.txt] Migrates all .txt files in Dir1 and any subfolders. Component 1 does not contain an <include> rule, so the <exclude> rule is not processed. Include rule: HKLM\Software\Microsoft\Command Processor* [] Exclude Rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Migrates all keys in HKLM\Software\Microsoft\Command Processor except DefaultColor. Both rules are processed as intended. Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Exclude Rule: HKLM\Software\Microsoft\Command Processor* [] Migrates only DefaultColor in HKLM\Software\Microsoft\Command Processor. DefaultColor is migrated because the <include> rule is more specific than the <exclude> rule. Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Exclude rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Does not migrate DefaultColor. The rules are equally specific, so the <exclude> rule takes precedence over the <include> rule. Component 1: Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Exclude rule: HKLM\Software\Microsoft\Command Processor* [] Component 2: Include rule: HKLM\Software\Microsoft\Command Processor* [] Exclude rule: HKLM\Software\Microsoft\Command Processor [DefaultColor] Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor. Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, the objects that were excluded when Component 1 was processed were included when Component 2 was processed. During ScanState, all the files will be added to the store. During LoadState, only C:\Data\SampleA.txt will be restored. During ScanState, all the files will be added to the store. During LoadState, all the files will be restored, overwriting the existing files on the destination computer. During ScanState, all the files will be added to the store. During LoadState, the following will occur: C:\Data\SampleA.txt will be restored. C:\Data\SampleB.txt will be restored, overwriting the existing file on the destination computer. C:\Data\Folder\SampleB.txt will not be restored. Verifies that My Videos exists on the source computer. Filters out the shortcuts in My Videos that do not resolve on the destination computer. This has no effect on files that are not shortcuts. For example, if there is a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering. Migrates My Videos for all users. Migrates all instances of the file Usmttestfile.txt from all sub-directories under %ProgramFiles%\USMTTestFolder. Migrates the whole directory under %ProgramFiles%\USMTDIRTestFolder. Migrates all instances of MyKey under HKCU\Software\USMTTESTKEY. Migrates the entire registry hive under HKLM\Software\USMTTESTKEY. Verifies that My Videos exists on the source computer. Filters out the shortcuts in My Videos that do not resolve on the destination computer. This has no effect on files that are not shortcuts. For example, if there is a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering. Migrates My Videos for all users. Migrates all instances of the file Usmttestfile.txt from all sub-directories under %ProgramFiles%\USMTTestFolder. Migrates the whole directory under %ProgramFiles%\USMTDIRTestFolder. Migrates all instances of MyKey under HKCU\Software\USMTTESTKEY. Migrates the entire registry hive under HKLM\Software\USMTTESTKEY. <Policies> This element contains elements that describe the policies that USMT follows while creating a migration store. <HardLinkStoreControl> This element contains elements that describe how to handle files during the creation of a hard link migration store. <fileLocked> This element contains elements that describe how to handle files that are locked for editing. <createHardLink> This element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application. Syntax: <createHardLink> [pattern] </createHardLink> <errorHardLink> This element defines a standard MigXML pattern that describes file paths where hard links should not be created, if the file is locked for editing by another application. <errorHardLink> [pattern] </errorHardLink> <Policies> This element contains elements that describe the policies that USMT follows while creating a migration store. <HardLinkStoreControl> This element contains elements that describe how to handle files during the creation of a hard link migration store. <fileLocked> This element contains elements that describe how to handle files that are locked for editing. <createHardLink> This element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application. Syntax: <createHardLink> [pattern] </createHardLink> <errorHardLink> This element defines a standard MigXML pattern that describes file paths where hard links should not be created, if the file is locked for editing by another application. <errorHardLink> [pattern] </errorHardLink> /l[Path]FileName Scanstate.log or LoadState.log Specifies the path and file name of the ScanState.log or LoadState log. /progress[Path]FileName Specifies the path and file name of the Progress log. Provides information about the status of the migration, by percentage complete. /v[VerbosityLevel] Not applicable See the "Monitoring Options" section in ScanState Syntax. /listfiles[Path]FileName Specifies the path and file name of the Listfiles log. Provides a list of the files that were migrated. Set the environment variable MIG_ENABLE_DIAG to a path to an XML file. USMTDiag.xml The diagnostic log contains detailed system environment information, user environment information, and information about the migration units (migunits) being gathered and their contents. program ScanState.exe or LoadState.exe. productVersion The full product version number of USMT. computerName The name of the source or destination computer on which USMT was run. commandLine The full command used to run USMT. PHASE Reports that a new phase in the migration is starting. This can be one of the following: Initializing Scanning Collecting Saving Estimating Applying detectedUser For the ScanState tool, these are the users USMT detected on the source computer that can be migrated. For the LoadState tool, these are the users USMT detected in the store that can be migrated. includedInMigration Defines whether the user profile/component is included for migration. Valid values are Yes or No. forUser Specifies either of the following: The user state being migrated. This Computer, meaning files and settings that are not associated with a user. detectedComponent Specifies a component detected by USMT. For ScanState, this is a component or application that is installed on the source computer. For LoadState, this is a component or application that was detected in the store. totalSizeInMBToTransfer Total size of the files and settings to migrate in megabytes (MB). totalPercentageCompleted Total percentage of the migration that has been completed by either ScanState or LoadState. collectingUser Specifies which user ScanState is collecting files and settings for. totalMinutesRemaining Time estimate, in minutes, for the migration to complete. error Type of non-fatal error that occurred. This can be one of the following: UnableToCopy: Unable to copy to store because the disk on which the store is located is full. UnableToOpen: Unable to open the file for migration because the file is opened in non-shared mode by another application or service. UnableToCopyCatalog: Unable to copy because the store is corrupted. UnableToAccessDevice: Unable to access the device. UnableToApply: Unable to apply the setting to the destination computer. objectName The name of the file or setting that caused the non-fatal error. action Action taken by USMT for the non-fatal error. The values are: Ignore: Non-fatal error ignored and the migration continued because the /c option was specified on the command line. Abort: Stopped the migration because the /c option was not specified. errorCode The errorCode or return value. numberOfIgnoredErrors The total number of non-fatal errors that USMT ignored. message The message corresponding to the errorCode. /l[Path]FileName Scanstate.log or LoadState.log Specifies the path and file name of the ScanState.log or LoadState log. /progress[Path]FileName Specifies the path and file name of the Progress log. Provides information about the status of the migration, by percentage complete. /v[VerbosityLevel] Not applicable See the "Monitoring Options" section in ScanState Syntax. /listfiles[Path]FileName Specifies the path and file name of the Listfiles log. Provides a list of the files that were migrated. Set the environment variable MIG_ENABLE_DIAG to a path to an XML file. USMTDiag.xml The diagnostic log contains detailed system environment information, user environment information, and information about the migration units (migunits) being gathered and their contents. program ScanState.exe or LoadState.exe. productVersion The full product version number of USMT. computerName The name of the source or destination computer on which USMT was run. commandLine The full command used to run USMT. PHASE Reports that a new phase in the migration is starting. This can be one of the following: Initializing Scanning Collecting Saving Estimating Applying detectedUser For the ScanState tool, these are the users USMT detected on the source computer that can be migrated. For the LoadState tool, these are the users USMT detected in the store that can be migrated. includedInMigration Defines whether the user profile/component is included for migration. Valid values are Yes or No. forUser Specifies either of the following: The user state being migrated. This Computer, meaning files and settings that are not associated with a user. detectedComponent Specifies a component detected by USMT. For ScanState, this is a component or application that is installed on the source computer. For LoadState, this is a component or application that was detected in the store. totalSizeInMBToTransfer Total size of the files and settings to migrate in megabytes (MB). totalPercentageCompleted Total percentage of the migration that has been completed by either ScanState or LoadState. collectingUser Specifies which user ScanState is collecting files and settings for. totalMinutesRemaining Time estimate, in minutes, for the migration to complete. error Type of non-fatal error that occurred. This can be one of the following: UnableToCopy: Unable to copy to store because the disk on which the store is located is full. UnableToOpen: Unable to open the file for migration because the file is opened in non-shared mode by another application or service. UnableToCopyCatalog: Unable to copy because the store is corrupted. UnableToAccessDevice: Unable to access the device. UnableToApply: Unable to apply the setting to the destination computer. objectName The name of the file or setting that caused the non-fatal error. action Action taken by USMT for the non-fatal error. The values are: Ignore: Non-fatal error ignored and the migration continued because the /c option was specified on the command line. Abort: Stopped the migration because the /c option was not specified. errorCode The errorCode or return value. numberOfIgnoredErrors The total number of non-fatal errors that USMT ignored. message The message corresponding to the errorCode. Content Yes The content depends on the type of object specified. For files, the content can be a string containing any of the following attributes separated by commas: Archive Read-only System Hidden For registry keys, the content can be one of the following types: None String ExpandString Binary Dword REG_SZ string No, default is No Determines whether Content should be interpreted as a string or as bytes. expand No (default = Yes When the expand parameter is Yes, the content of the <bytes> element is first expanded in the context of the source computer and then interpreted. Content Yes Depends on the value of the string. When the string is Yes: the content of the <bytes> element is interpreted as a string. When the string is No: the content of the <bytes> element is interpreted as bytes. Each two characters represent the hexadecimal value of a byte. For example, "616263" is the representation for the "abc" ANSI string. A complete representation of the UNICODE string "abc" including the string terminator would be: "6100620063000000". CommandLineString Yes A valid command line. type Yes You can use the following to group settings, and define the type of the component. System: Operating system settings. All Windows® components are defined by this type. When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers. Application: Settings for an application. Device: Settings for a device. Documents: Specifies files. context No Default = UserAndSystem Defines the scope of this parameter; that is, whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If a <rules> element has a context of System, it would act as though the <rules> element is not there. User. Evaluates the component for each user. System. Evaluates the component only once for the system. UserAndSystem. Evaluates the component for the entire operating system and each user. defaultSupported No (default = TRUE) Can be any of TRUE, FALSE, YES or NO. If this parameter is FALSE (or NO), the component will not be migrated unless there is an equivalent component on the destination computer. When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers. hidden This parameter is for internal USMT use only. negation No Default = No "Yes" reverses the True/False value of the condition. ScriptName Yes A script that has been defined within this migration section. OSType Yes The only valid value for this setting is NT. Note, however, that you must set this setting for the <condition> functions to work correctly. OSVersion Yes The major version, minor version, build number and corrected service diskette version separated by periods. For example, OSType Yes Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x”, the result will be FALSE. OSVersion Yes The major version, minor version, build number, and corrected service diskette version separated by periods. For example, The IsOSLaterThan function returns TRUE if the current operating system is later than or equal to OSVersion. OSType Yes Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x” the result will be FALSE. OSVersion Yes The major version, minor version, build number, and corrected service diskette version separated by periods. For example, The IsOSEarlierThan function returns TRUE if the current operating system is earlier than OSVersion. ObjectType Yes Defines the object type. Can be File or Registry. EncodedLocationPattern Yes The location pattern. Environment variables are allowed. EncodedFileLocation Yes The location pattern for the file that will be checked. Environment variables are allowed. VersionTag Yes The version tag value that will be checked. VersionValue Yes A string pattern. For example, "Microsoft*". EncodedFileLocation Yes The location pattern for the file that will be checked. Environment variables are allowed. VersionTag Yes The version tag value that will be checked. VersionValue Yes The value to compare to. You cannot specify a pattern. EncodedFileLocation Yes The location pattern for the file that will be checked. Environment variables are allowed. VersionTag Yes The version tag value that will be checked. VersionValue Yes The value to compare to. You cannot specify a pattern. ObjectType Yes Defines the type of object. Can be File or Registry. EncodedLocationPattern Yes The encoded location for the object that will be examined. You can specify environment variables. StringContent Yes The string that will be checked against. ObjectType Yes Defines the type of object. Can be File or Registry. EncodedLocationPattern Yes The encoded location for the object that will be examined. You can specify environment variables. StrToFind Yes A string that will be searched inside the content of the given object. ObjectType Yes Defines the type of object. Can be File or Registry. EncodedLocation1 Yes The encoded location for the first object. You can specify environment variables. EncodedLocation2 Yes The encoded location for the second object. You can specify environment variables. ObjectType1 Yes Defines the type of the first object. Can be File or Registry. EncodedLocation1 Yes The encoded location for the first object. You can specify environment variables. ObjectType2 Yes Defines the type of the second object. Can be File or Registry. EncodedLocation2 Yes The encoded location for the second object. You can specify environment variables. ObjectType1 Yes Defines the type of the first object. Can be File or Registry. EncodedLocation1 Yes The encoded location for the first object. You can specify environment variables. ObjectType2 Yes Defines the type of the second object. Can be File or Registry. EncodedLocation2 Yes The encoded location for the second object. You can specify environment variables. operation No, default = AND Defines the Boolean operation that is performed on the results that are obtained from the child elements. filter Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script is called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. Separators Yes A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You can specify NULL. PathHints Yes A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL. Separators Yes A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. This parameter must be NULL when processing MULTI-SZ registry values. PathHints Yes A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL. Separators No A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You must specify NULL when processing MULTI-SZ registry values. LevelsToTrim Yes The number of levels to delete from the end of the directory specification. Use this function to extract a root directory when you have a registry value that points inside that root directory in a known location. PatternSuffix Yes The pattern to add to the directory specification. For example, script Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. DefaultValueOnError No The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails. DefaultValueOnError No The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails. Value Yes The string representation of a numeric value. It can be positive or negative. For example, SourceTable Yes A list of values separated by commas that are possible for the source registry values. DestinationTable No A list of translated values separated by commas. DefaultValueOnError No The value that will be applied to the destination computer if either 1) the value for the source computer does not match SourceTable, or 2) DestinationTable has no equivalent value. If DefaultValueOnError is NULL, the value will not be changed on the destination computer. OptionString Yes OptionString can be Security, TimeFields, or FileAttrib:Letter. You can specify one of each type of OptionStrings. Do not specify multiple OptionStrings with the same value. If you do, the right-most option of that type will be kept. For example, do not specify ("FileAttrib:H", "FileAttrib:R") because only Read-only will be evaluated. Instead specify ("FileAttrib:HR") and both Hidden and Read-only attributes will be kept on the destination computer. Security. Keeps the destination object's security descriptor if it exists. TimeFields. Keeps the destination object's time stamps. This parameter is for files only. FileAttrib:Letter. Keeps the destination object's attribute value, either On or OFF, for the specified set of file attributes. This parameter is for files only. The following are case-insensitive, but USMT will ignore any values that are invalid, repeated, or if there is a space after "FileAttrib:". You can specify any combination of the following attributes: A = Archive C = Compressed E = Encrypted H = Hidden I = Not Content Indexed O = Offline R = Read-Only S = System T = Temporary Instruction Yes Can be one of the following: Add. Adds the corresponding String to the resulting MULTI-SZ if it is not already there. Remove. Removes the corresponding String from the resulting MULTI-SZ. String Yes The string to be added or removed. Delimiters Yes A single character that will be used to separate the content of the object that is being processed. The content will be considered as a list of elements that is separated by the Delimiters. For example, "." will separate the string based on a period. Instruction Yes Can one of the following: Add. Adds String to the resulting MULTI-SZ if it is not already there. Remove. Removes String from the resulting MULTI-SZ. String Yes The string to be added or removed. ComponentDescription Yes The description of the component. filter Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. name Yes, when <detect> is a child to <namedElements> No, when <detect> is a child to <detects> When ID is specified, any child elements are not processed. Instead, any other <detect> elements with the same name that are declared within the <namedElements> element are processed. context No (default = UserAndSystem) Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the component element. For example, if a <component> element has a context of User, and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there. User. Evaluates the variables for each user. System. Evaluates the variables only once for the system. UserAndSystem. Evaluates the variables for the entire operating system and each user. name Yes, when <detects> is a child to <namedElements> No, when <detects> is a child to <role> or <rules> When ID is specified, no child <detect> elements are processed. Instead, any other <detects> elements with the same name that are declared within the <namedElements> element are processed. context No (default = UserAndSystem) Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the <component element>. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there. User. Evaluates the variables for each user. System. Evaluates the variables only once for the system. UserAndSystem. Evaluates the variables for the entire operating system and each user. The context parameter is ignored for <detects> elements that are inside <rules> elements. name Yes, when <detection> is declared under <namedElements> Optional, when declared under <role> If declared, the content of the <detection> element is ignored and the content of the <detection> element with the same name that is declared in the <namedElements> element will be evaluated. context No, default = UserAndSystem Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. User. Evaluates the component for each user. System. Evaluates the component only once for the system. UserAndSystem. Evaluates the component for the entire operating system and each user. locID No This parameter is for internal USMT use. Do not use this parameter. ComponentName Yes The name for the component. name Yes, when <environment> is a child of <namedElements> No, when <environment> is a child of <role> or <component> When declared as a child of the <role> or <component> elements, if ID is declared, USMT ignores the content of the <environment> element and the content of the <environment> element with the same name declared in the <namedElements> element is processed. context No (default = UserAndSystem) Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though <rules> were not there. User. Evaluates the variables for each user. System. Evaluates the variables only once for the system. UserAndSystem. Evaluates the variables for the entire operating system and each user. filter No (default = No) A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. attributes Yes Specifies the attributes to be excluded. You can specify one of the following, or both separated by quotes; for example, Security can be one of Owner, Group, DACL, or SACL. TimeFields can be one of CreationTime, LastAccessTime and LastWrittenTime FilenameExtension Yes A file name extension. when Yes Indicates when the command line should be run. This value can be one of the following: pre-scan before the scanning process begins. scan-success after the scanning process has finished successfully. post-scan after the scanning process has finished, whether it was successful or not. pre-apply before the apply process begins. apply-success after the apply process has finished successfully. post-apply after the apply process has finished, whether it was successful or not. filter No. If this parameter is not specified, then all patterns that are inside the child <ObjectSet> element will be processed. A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. StringContent Yes The string to check against. CompareType Yes A string. Use one of the following values: Equal (case insensitive). The function returns TRUE if the string representation of the current object that is processed by the migration engine is identical to NULL or any other value. The function returns TRUE if the string representation of the current object that is processed by the migration engine does not match attributes Yes Specifies the attributes to be included with a migrated object. You can specify one of the following, or both separated by quotes; for example, Security can be one of the following values: Owner. The owner of the object (SID). Group. The primary group for the object (SID). DACL (discretionary access control list). An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object. SACL (system access control list). An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators. TimeFields can be one of the following: CreationTime. Specifies when the file or directory was created. LastAccessTime. Specifies when the file is last read from, written to, or, in the case of executable files, run. LastWrittenTime. Specifies when the file is last written to, truncated, or overwritten. type Yes typeID can be Registry or File. ObjectLocation Yes The location of the object. script Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. ObjectEncodedLocation Yes The destination location for all of the source objects. DestinationRoot Yes The location where the source objects will be moved. If needed, this function will create any subdirectories that were above the longest CSIDL in the source object name. SourceRoot Yes The location from where the objects will be moved. Any source objects that are enumerated by the parent <ObjectSet> element that are not in this location will not be moved. DestinationRoot Yes The location where the source objects will be moved to on the destination computer. If needed, this function will create any subdirectories that were above SourceRoot. Name Yes The name of the manufacturer for the component. script Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. FilePattern Yes <F> will be replaced by the original file name. <N> will be replaced by an incrementing counter until there is no collision with the objects on the destination computer. <E> will be replaced by the original file name extension. For example, VersionTag Yes The version field that will be checked. This can be "FileVersion" or "ProductVersion". The file with the highest VersionTag version determines which conflicts will be resolved based on the file's version. For example, if Myfile.txt contains FileVersion 1 and the same file on the destination computer contains FileVersion 2, the file on destination will remain. urlid Yes UrlID is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see Use XML Namespaces. Name No Although not required, it is good practice to use the name of the .xml file. Property filesize, dateCreated, dateModified, dateAccessed Operator range, neq, lte, lt, eq, gte, gt valueToCompare The value we are comparing. For example: Date: “2008/05/15-2005/05/17”, “2008/05/15” Size: A numeral with B, KB, MB, or GB at the end. “5GB”, “1KB-1MB” type Yes typeID can be Registry, File, or Ini. If typeId is Ini, then you cannot have a space between Path and object. For example, the following is correct when type="Ini": <pattern type="Ini">%WinAmp5InstPath%\Winamp.ini|WinAmp[keeponscreen]</pattern> Path [object] Yes A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated. Path can contain the asterisk () wildcard character or can be an Recognized Environment Variables. You cannot use the question mark as a wildcard character.You can use HKCU and HKLM to refer to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE respectively. Object can contain the asterisk () wildcard character. However, you cannot use the question mark as a wildcard character. For example: C:\Folder\ [] enumerates all files in C:<em>Path but no subfolders of C:\Folder. C:\Folder* [] enumerates all files and subfolders of C:\Folder. C:\Folder\ [*.mp3] enumerates all .mp3 files in C:\Folder. C:\Folder\ [Sample.doc] enumerates only the Sample.doc file located in C:\Folder. If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", you must specify when Yes Indicates when the script should be run. This value can be one of the following: pre-scan means before the scanning process begins. scan-success means after the scanning process has finished successfully. post-scan means after the scanning process has finished, whether it was successful or not. pre-apply means before the apply process begins. apply-success means after the apply process has finished successfully. post-apply means after the apply process has finished, whether it was successful or not. role Yes Defines the role for the component. Role can be one of: Container Binaries Settings Data You can either: Specify up to three <role> elements within a <component> — one “Binaries” role element, one “Settings” role element and one “Data” role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter. Specify one “Container” <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example: name Yes, when <rules> is a child to <namedElements> No, when <rules> is a child to any other element When ID is specified, any child elements are not processed. Instead, any other <rules> elements with the same name that are declared within <namedElements> are processed. context No (default = UserAndSystem) Defines the scope of this parameter — whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the component element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If <rules> had a context of System, it would act as though <rules> was not there. User. Evaluates the variables for each user. System. Evaluates the variables only once for the system. UserAndSystem. Evaluates the variables for the entire operating system and each user. ScriptWithArguments Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. The return value that is required by <script> depends on the parent element. When used within <variable>, the return value must be a string. When used within <objectSet>, the return value must be a two-dimensional array of strings. When used within <location>, the return value must be a valid location that aligns with the type attribute of <location>. For example, if <location type="File">, the child script element, if specified, must be a valid file location. If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", specify ObjectType Yes The type of object. Can be Registry or Ini (for an .ini file). EncodedLocationPattern Yes If type of object is Registry, EncodedLocationPattern must be a valid registry path. For example, HKLM\SOFTWARE\MyKey[]. If the type of object is Ini, then EncodedLocationPattern must be in the following format: IniFilePath|SectionName[SettingName] ExpandContent No (default=TRUE) Can be TRUE or FALSE. If FALSE, then the given location will not be expanded before it is returned. PatternSegment Yes The suffix of an encoded pattern. It will be concatenated with a drive specification, such as "c:", to form a complete encoded file pattern. For example, "* [*.doc]". PatternSegment cannot be an environment variable. DriveType Yes The drive type for which the patterns are to be generated. You can specify one of: Fixed CDROM Removable Remote ObjectType Yes Defines the object type. Can be File or Registry. EncodedLocationPattern Yes The location pattern. Environment variables are allowed. ProcessCurrentUser Yes Can be TRUE or FALSE. Indicates if the patterns should be generated for the current user. ScanProgramFiles No (default = FALSE) Can be TRUE or FALSE. The ScanProgramFiles parameter determines whether or not the document finder scans the Program Files directory to gather registered file extensions for known applications. For example, when set to TRUE it will discover and migrate .jpg files under the Photoshop directory, if .jpg is a file extension registered to Photoshop. IncludePatterns No (default = TRUE) Can be TRUE or FALSE. TRUE will generate include patterns and can be added under the <include> element. FALSE will generate exclude patterns and can be added under the <exclude> element. SystemDrive No (default = FALSE) Can be TRUE or FALSE. If TRUE, restricts all patterns to the system drive. NormalText This is interpreted as normal text. name Yes ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component’s name to avoid namespace collisions. For example, if your component’s name is MyComponent, and you want a variable that is your component’s install path, you could specify remap No, default = FALSE Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable’s value are automatically moved to where the environment variable points on the destination computer. ComponentVersion Yes The version of the component, which can contain patterns. Content Yes The content depends on the type of object specified. For files, the content can be a string containing any of the following attributes separated by commas: Archive Read-only System Hidden For registry keys, the content can be one of the following types: None String ExpandString Binary Dword REG_SZ string No, default is No Determines whether Content should be interpreted as a string or as bytes. expand No (default = Yes When the expand parameter is Yes, the content of the <bytes> element is first expanded in the context of the source computer and then interpreted. Content Yes Depends on the value of the string. When the string is Yes: the content of the <bytes> element is interpreted as a string. When the string is No: the content of the <bytes> element is interpreted as bytes. Each two characters represent the hexadecimal value of a byte. For example, "616263" is the representation for the "abc" ANSI string. A complete representation of the UNICODE string "abc" including the string terminator would be: "6100620063000000". CommandLineString Yes A valid command line. type Yes You can use the following to group settings, and define the type of the component. System: Operating system settings. All Windows® components are defined by this type. When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers. Application: Settings for an application. Device: Settings for a device. Documents: Specifies files. context No Default = UserAndSystem Defines the scope of this parameter; that is, whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If a <rules> element has a context of System, it would act as though the <rules> element is not there. User. Evaluates the component for each user. System. Evaluates the component only once for the system. UserAndSystem. Evaluates the component for the entire operating system and each user. defaultSupported No (default = TRUE) Can be any of TRUE, FALSE, YES or NO. If this parameter is FALSE (or NO), the component will not be migrated unless there is an equivalent component on the destination computer. When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers. hidden This parameter is for internal USMT use only. negation No Default = No "Yes" reverses the True/False value of the condition. ScriptName Yes A script that has been defined within this migration section. OSType Yes The only valid value for this setting is NT. Note, however, that you must set this setting for the <condition> functions to work correctly. OSVersion Yes The major version, minor version, build number and corrected service diskette version separated by periods. For example, OSType Yes Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x”, the result will be FALSE. OSVersion Yes The major version, minor version, build number, and corrected service diskette version separated by periods. For example, The IsOSLaterThan function returns TRUE if the current operating system is later than or equal to OSVersion. OSType Yes Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x” the result will be FALSE. OSVersion Yes The major version, minor version, build number, and corrected service diskette version separated by periods. For example, The IsOSEarlierThan function returns TRUE if the current operating system is earlier than OSVersion. ObjectType Yes Defines the object type. Can be File or Registry. EncodedLocationPattern Yes The location pattern. Environment variables are allowed. EncodedFileLocation Yes The location pattern for the file that will be checked. Environment variables are allowed. VersionTag Yes The version tag value that will be checked. VersionValue Yes A string pattern. For example, "Microsoft*". EncodedFileLocation Yes The location pattern for the file that will be checked. Environment variables are allowed. VersionTag Yes The version tag value that will be checked. VersionValue Yes The value to compare to. You cannot specify a pattern. EncodedFileLocation Yes The location pattern for the file that will be checked. Environment variables are allowed. VersionTag Yes The version tag value that will be checked. VersionValue Yes The value to compare to. You cannot specify a pattern. ObjectType Yes Defines the type of object. Can be File or Registry. EncodedLocationPattern Yes The encoded location for the object that will be examined. You can specify environment variables. StringContent Yes The string that will be checked against. ObjectType Yes Defines the type of object. Can be File or Registry. EncodedLocationPattern Yes The encoded location for the object that will be examined. You can specify environment variables. StrToFind Yes A string that will be searched inside the content of the given object. ObjectType Yes Defines the type of object. Can be File or Registry. EncodedLocation1 Yes The encoded location for the first object. You can specify environment variables. EncodedLocation2 Yes The encoded location for the second object. You can specify environment variables. ObjectType1 Yes Defines the type of the first object. Can be File or Registry. EncodedLocation1 Yes The encoded location for the first object. You can specify environment variables. ObjectType2 Yes Defines the type of the second object. Can be File or Registry. EncodedLocation2 Yes The encoded location for the second object. You can specify environment variables. ObjectType1 Yes Defines the type of the first object. Can be File or Registry. EncodedLocation1 Yes The encoded location for the first object. You can specify environment variables. ObjectType2 Yes Defines the type of the second object. Can be File or Registry. EncodedLocation2 Yes The encoded location for the second object. You can specify environment variables. operation No, default = AND Defines the Boolean operation that is performed on the results that are obtained from the child elements. filter Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script is called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. Separators Yes A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You can specify NULL. PathHints Yes A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL. Separators Yes A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. This parameter must be NULL when processing MULTI-SZ registry values. PathHints Yes A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL. Separators No A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You must specify NULL when processing MULTI-SZ registry values. LevelsToTrim Yes The number of levels to delete from the end of the directory specification. Use this function to extract a root directory when you have a registry value that points inside that root directory in a known location. PatternSuffix Yes The pattern to add to the directory specification. For example, script Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. DefaultValueOnError No The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails. DefaultValueOnError No The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails. Value Yes The string representation of a numeric value. It can be positive or negative. For example, SourceTable Yes A list of values separated by commas that are possible for the source registry values. DestinationTable No A list of translated values separated by commas. DefaultValueOnError No The value that will be applied to the destination computer if either 1) the value for the source computer does not match SourceTable, or 2) DestinationTable has no equivalent value. If DefaultValueOnError is NULL, the value will not be changed on the destination computer. OptionString Yes OptionString can be Security, TimeFields, or FileAttrib:Letter. You can specify one of each type of OptionStrings. Do not specify multiple OptionStrings with the same value. If you do, the right-most option of that type will be kept. For example, do not specify ("FileAttrib:H", "FileAttrib:R") because only Read-only will be evaluated. Instead specify ("FileAttrib:HR") and both Hidden and Read-only attributes will be kept on the destination computer. Security. Keeps the destination object's security descriptor if it exists. TimeFields. Keeps the destination object's time stamps. This parameter is for files only. FileAttrib:Letter. Keeps the destination object's attribute value, either On or OFF, for the specified set of file attributes. This parameter is for files only. The following are case-insensitive, but USMT will ignore any values that are invalid, repeated, or if there is a space after "FileAttrib:". You can specify any combination of the following attributes: A = Archive C = Compressed E = Encrypted H = Hidden I = Not Content Indexed O = Offline R = Read-Only S = System T = Temporary Instruction Yes Can be one of the following: Add. Adds the corresponding String to the resulting MULTI-SZ if it is not already there. Remove. Removes the corresponding String from the resulting MULTI-SZ. String Yes The string to be added or removed. Delimiters Yes A single character that will be used to separate the content of the object that is being processed. The content will be considered as a list of elements that is separated by the Delimiters. For example, "." will separate the string based on a period. Instruction Yes Can one of the following: Add. Adds String to the resulting MULTI-SZ if it is not already there. Remove. Removes String from the resulting MULTI-SZ. String Yes The string to be added or removed. ComponentDescription Yes The description of the component. filter Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. name Yes, when <detect> is a child to <namedElements> No, when <detect> is a child to <detects> When ID is specified, any child elements are not processed. Instead, any other <detect> elements with the same name that are declared within the <namedElements> element are processed. context No (default = UserAndSystem) Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the component element. For example, if a <component> element has a context of User, and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there. User. Evaluates the variables for each user. System. Evaluates the variables only once for the system. UserAndSystem. Evaluates the variables for the entire operating system and each user. name Yes, when <detects> is a child to <namedElements> No, when <detects> is a child to <role> or <rules> When ID is specified, no child <detect> elements are processed. Instead, any other <detects> elements with the same name that are declared within the <namedElements> element are processed. context No (default = UserAndSystem) Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the <component element>. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though the <rules> element were not there. User. Evaluates the variables for each user. System. Evaluates the variables only once for the system. UserAndSystem. Evaluates the variables for the entire operating system and each user. The context parameter is ignored for <detects> elements that are inside <rules> elements. name Yes, when <detection> is declared under <namedElements> Optional, when declared under <role> If declared, the content of the <detection> element is ignored and the content of the <detection> element with the same name that is declared in the <namedElements> element will be evaluated. context No, default = UserAndSystem Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. User. Evaluates the component for each user. System. Evaluates the component only once for the system. UserAndSystem. Evaluates the component for the entire operating system and each user. locID No This parameter is for internal USMT use. Do not use this parameter. ComponentName Yes The name for the component. name Yes, when <environment> is a child of <namedElements> No, when <environment> is a child of <role> or <component> When declared as a child of the <role> or <component> elements, if ID is declared, USMT ignores the content of the <environment> element and the content of the <environment> element with the same name declared in the <namedElements> element is processed. context No (default = UserAndSystem) Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the <component> element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it had a context of User. If the <rules> element had a context of System, it would act as though <rules> were not there. User. Evaluates the variables for each user. System. Evaluates the variables only once for the system. UserAndSystem. Evaluates the variables for the entire operating system and each user. filter No (default = No) A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. attributes Yes Specifies the attributes to be excluded. You can specify one of the following, or both separated by quotes; for example, Security can be one of Owner, Group, DACL, or SACL. TimeFields can be one of CreationTime, LastAccessTime and LastWrittenTime FilenameExtension Yes A file name extension. when Yes Indicates when the command line should be run. This value can be one of the following: pre-scan before the scanning process begins. scan-success after the scanning process has finished successfully. post-scan after the scanning process has finished, whether it was successful or not. pre-apply before the apply process begins. apply-success after the apply process has finished successfully. post-apply after the apply process has finished, whether it was successful or not. filter No. If this parameter is not specified, then all patterns that are inside the child <ObjectSet> element will be processed. A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. StringContent Yes The string to check against. CompareType Yes A string. Use one of the following values: Equal (case insensitive). The function returns TRUE if the string representation of the current object that is processed by the migration engine is identical to NULL or any other value. The function returns TRUE if the string representation of the current object that is processed by the migration engine does not match attributes Yes Specifies the attributes to be included with a migrated object. You can specify one of the following, or both separated by quotes; for example, Security can be one of the following values: Owner. The owner of the object (SID). Group. The primary group for the object (SID). DACL (discretionary access control list). An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object. SACL (system access control list). An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators. TimeFields can be one of the following: CreationTime. Specifies when the file or directory was created. LastAccessTime. Specifies when the file is last read from, written to, or, in the case of executable files, run. LastWrittenTime. Specifies when the file is last written to, truncated, or overwritten. type Yes typeID can be Registry or File. ObjectLocation Yes The location of the object. script Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. ObjectEncodedLocation Yes The destination location for all of the source objects. DestinationRoot Yes The location where the source objects will be moved. If needed, this function will create any subdirectories that were above the longest CSIDL in the source object name. SourceRoot Yes The location from where the objects will be moved. Any source objects that are enumerated by the parent <ObjectSet> element that are not in this location will not be moved. DestinationRoot Yes The location where the source objects will be moved to on the destination computer. If needed, this function will create any subdirectories that were above SourceRoot. Name Yes The name of the manufacturer for the component. script Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. FilePattern Yes <F> will be replaced by the original file name. <N> will be replaced by an incrementing counter until there is no collision with the objects on the destination computer. <E> will be replaced by the original file name extension. For example, VersionTag Yes The version field that will be checked. This can be "FileVersion" or "ProductVersion". The file with the highest VersionTag version determines which conflicts will be resolved based on the file's version. For example, if Myfile.txt contains FileVersion 1 and the same file on the destination computer contains FileVersion 2, the file on destination will remain. urlid Yes UrlID is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see Use XML Namespaces. Name No Although not required, it is good practice to use the name of the .xml file. Property filesize, dateCreated, dateModified, dateAccessed Operator range, neq, lte, lt, eq, gte, gt valueToCompare The value we are comparing. For example: Date: “2008/05/15-2005/05/17”, “2008/05/15” Size: A numeral with B, KB, MB, or GB at the end. “5GB”, “1KB-1MB” type Yes typeID can be Registry, File, or Ini. If typeId is Ini, then you cannot have a space between Path and object. For example, the following is correct when type="Ini": <pattern type="Ini">%WinAmp5InstPath%\Winamp.ini|WinAmp[keeponscreen]</pattern> Path [object] Yes A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated. Path can contain the asterisk () wildcard character or can be an Recognized Environment Variables. You cannot use the question mark as a wildcard character.You can use HKCU and HKLM to refer to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE respectively. Object can contain the asterisk () wildcard character. However, you cannot use the question mark as a wildcard character. For example: C:\Folder\ [] enumerates all files in C:<em>Path but no subfolders of C:\Folder. C:\Folder* [] enumerates all files and subfolders of C:\Folder. C:\Folder\ [*.mp3] enumerates all .mp3 files in C:\Folder. C:\Folder\ [Sample.doc] enumerates only the Sample.doc file located in C:\Folder. If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", you must specify when Yes Indicates when the script should be run. This value can be one of the following: pre-scan means before the scanning process begins. scan-success means after the scanning process has finished successfully. post-scan means after the scanning process has finished, whether it was successful or not. pre-apply means before the apply process begins. apply-success means after the apply process has finished successfully. post-apply means after the apply process has finished, whether it was successful or not. role Yes Defines the role for the component. Role can be one of: Container Binaries Settings Data You can either: Specify up to three <role> elements within a <component> — one “Binaries” role element, one “Settings” role element and one “Data” role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter. Specify one “Container” <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example: name Yes, when <rules> is a child to <namedElements> No, when <rules> is a child to any other element When ID is specified, any child elements are not processed. Instead, any other <rules> elements with the same name that are declared within <namedElements> are processed. context No (default = UserAndSystem) Defines the scope of this parameter — whether to process this component in the context of the specific user, across the entire operating system, or both. The largest possible scope is set by the component element. For example, if a <component> element has a context of User and a <rules> element had a context of UserAndSystem, then the <rules> element would act as though it has a context of User. If <rules> had a context of System, it would act as though <rules> was not there. User. Evaluates the variables for each user. System. Evaluates the variables only once for the system. UserAndSystem. Evaluates the variables for the entire operating system and each user. ScriptWithArguments Yes A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example The script will be called for each object that is enumerated by the object sets in the <include> rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. The return value that is required by <script> depends on the parent element. When used within <variable>, the return value must be a string. When used within <objectSet>, the return value must be a two-dimensional array of strings. When used within <location>, the return value must be a valid location that aligns with the type attribute of <location>. For example, if <location type="File">, the child script element, if specified, must be a valid file location. If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", specify ObjectType Yes The type of object. Can be Registry or Ini (for an .ini file). EncodedLocationPattern Yes If type of object is Registry, EncodedLocationPattern must be a valid registry path. For example, HKLM\SOFTWARE\MyKey[]. If the type of object is Ini, then EncodedLocationPattern must be in the following format: IniFilePath|SectionName[SettingName] ExpandContent No (default=TRUE) Can be TRUE or FALSE. If FALSE, then the given location will not be expanded before it is returned. PatternSegment Yes The suffix of an encoded pattern. It will be concatenated with a drive specification, such as "c:", to form a complete encoded file pattern. For example, "* [*.doc]". PatternSegment cannot be an environment variable. DriveType Yes The drive type for which the patterns are to be generated. You can specify one of: Fixed CDROM Removable Remote ObjectType Yes Defines the object type. Can be File or Registry. EncodedLocationPattern Yes The location pattern. Environment variables are allowed. ProcessCurrentUser Yes Can be TRUE or FALSE. Indicates if the patterns should be generated for the current user. ScanProgramFiles No (default = FALSE) Can be TRUE or FALSE. The ScanProgramFiles parameter determines whether or not the document finder scans the Program Files directory to gather registered file extensions for known applications. For example, when set to TRUE it will discover and migrate .jpg files under the Photoshop directory, if .jpg is a file extension registered to Photoshop. IncludePatterns No (default = TRUE) Can be TRUE or FALSE. TRUE will generate include patterns and can be added under the <include> element. FALSE will generate exclude patterns and can be added under the <exclude> element. SystemDrive No (default = FALSE) Can be TRUE or FALSE. If TRUE, restricts all patterns to the system drive. NormalText This is interpreted as normal text. name Yes ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component’s name to avoid namespace collisions. For example, if your component’s name is MyComponent, and you want a variable that is your component’s install path, you could specify remap No, default = FALSE Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable’s value are automatically moved to where the environment variable points on the destination computer. ComponentVersion Yes The version of the component, which can contain patterns. If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
-
-After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
-
-To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
-
-## Create a demo VM
-
-Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
-
-To use Windows Powershell we just need to know two things:
-
-1. The location of the Windows 10 ISO file.
- - In the example, we assume the location is **c:\iso\win10-eval.iso**.
-2. The name of the network interface that connects to the Internet.
- - In the example, we use a Windows PowerShell command to determine this automatically.
-
-After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
-
-### Set ISO file location
-
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
-- When asked to select a platform, choose **64 bit**.
-
-After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
-
-1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
-2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
-3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
-
-### Determine network adapter name
-
-The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
-
-```powershell
-(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
-```
-
-The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
-
-For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
-
-### Use Windows PowerShell to create the demo VM
-
-All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
-
->[!IMPORTANT]
->**VM switch**: a VM switch is how Hyper-V connects VMs to a network. If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
+
+After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
+
+To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
+
+## Create a demo VM
+
+Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
+
+To use Windows Powershell we just need to know two things:
+
+1. The location of the Windows 10 ISO file.
+ - In the example, we assume the location is **c:\iso\win10-eval.iso**.
+2. The name of the network interface that connects to the Internet.
+ - In the example, we use a Windows PowerShell command to determine this automatically.
+
+After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
+
+### Set ISO file location
+
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+- When asked to select a platform, choose **64 bit**.
+
+After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+
+1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
+3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
+
+### Determine network adapter name
+
+The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
+
+```powershell
+(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+```
+
+The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
+
+For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
+
+### Use Windows PowerShell to create the demo VM
+
+All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
+
+>[!IMPORTANT]
+>**VM switch**: a VM switch is how Hyper-V connects VMs to a network. \"Close other apps, error code: 0XA00F4243.” or or
\
|
- | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** |
-|------------------|:---------:|:---------:|:---------:|:---------:|
-| [AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) |  |  |  |  |
-| [AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) |  |  |  |  |
-| [AllowBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) |  |  |  |  |
-| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) |  |  |  |  |
-| [AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) |  |  |  |  |
-| [AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) |  |  |  |  |
-| [AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) |  |  |  |  |
-| [AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) |  |  |  |  |
-| [AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflash) |  |  |  |  |
-| [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | 2 |  |  |  |
-| [AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* |  |  |  |  |
-| [AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) |  |  |  |  |
-| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) |  |  | 1 |  |
-| [AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) |  |  |  |  |
-| [AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) |  |  |  |  |
-| [AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* |  |  |  |  |
-| [AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* |  |  |  |  |
-| [AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* |  |  |  |  |
-| [AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
-| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
-| [AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* |  |  |  |  |
-| [AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) |  |  |  |  |
-| [AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) |  |  |  |  |
-| [AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* |  |  |  |  |
-| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* |  |  |  |  |
-| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) |  |  |  |  |
-| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) |  |  |  |  |
-| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) |  |  |  |  |
-| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* |  |  |  |  |
-| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* |  |  |  |  |
-| [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* |  |  |  |  |
-| [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* |  |  |  |  |
-| [ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* |  |  |  |  |
-| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* |  |  |  |  |
-| [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) |  |  |  |  |
-| [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* |  |  |  |  |
-| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |  |  |  |  |
-| [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) |  |  | 1 |  |
-| [FirstRunURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) |  |  |  |  |
-| [HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) |  |  |  |  |
-| [LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) |  |  |  |  |
-| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) |  |  |  |  |
-| [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* |  |  |  |  |
-| [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) |  | |  |  |
-| [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) |  |  |  |  |
-| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) |  |  |  |  |
-| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) |  |  |  |  |
-| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* |  |  |  |  |
-| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) |  |  |  |  |
-| [ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) |  |  |  |  |
-| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) |  |  | 1 |  |
-| [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) |  |  |  |  |
-| [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* |  |  |  |  |
-| [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* |  |  |  |  |
-| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) |  |  | 1 |  |
-| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) |  |  | 1 |  |
-| [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* |  |  |  |  |
-| [UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) |  |  |  |  |
-
-
-*\* New policy as of Windows 10, version 1809.*
-*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
-
-**Legend:**
-  = Supported
-
----
-
-## Feature comparison of kiosk mode and kiosk browser app
-In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
-
-
-| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** |
-|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
-| Print support |  |  |
-| Multi-tab support |  |  |
-| Allow/Block URL support | 
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education |
-
-**\*Windows Defender Firewall**
|
+ | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**
|
+ | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**
\
|
+ | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** |
+|------------------|:---------:|:---------:|:---------:|:---------:|
+| [AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) |  |  |  |  |
+| [AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) |  |  |  |  |
+| [AllowBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) |  |  |  |  |
+| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) |  |  |  |  |
+| [AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) |  |  |  |  |
+| [AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) |  |  |  |  |
+| [AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) |  |  |  |  |
+| [AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) |  |  |  |  |
+| [AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflash) |  |  |  |  |
+| [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | 2 |  |  |  |
+| [AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* |  |  |  |  |
+| [AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) |  |  |  |  |
+| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) |  |  | 1 |  |
+| [AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) |  |  |  |  |
+| [AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) |  |  |  |  |
+| [AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* |  |  |  |  |
+| [AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* |  |  |  |  |
+| [AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* |  |  |  |  |
+| [AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
+| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
+| [AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* |  |  |  |  |
+| [AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) |  |  |  |  |
+| [AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) |  |  |  |  |
+| [AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* |  |  |  |  |
+| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* |  |  |  |  |
+| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) |  |  |  |  |
+| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) |  |  |  |  |
+| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) |  |  |  |  |
+| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* |  |  |  |  |
+| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* |  |  |  |  |
+| [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* |  |  |  |  |
+| [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* |  |  |  |  |
+| [ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* |  |  |  |  |
+| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* |  |  |  |  |
+| [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) |  |  |  |  |
+| [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* |  |  |  |  |
+| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |  |  |  |  |
+| [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) |  |  | 1 |  |
+| [FirstRunURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) |  |  |  |  |
+| [HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) |  |  |  |  |
+| [LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) |  |  |  |  |
+| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) |  |  |  |  |
+| [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* |  |  |  |  |
+| [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) |  | |  |  |
+| [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) |  |  |  |  |
+| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) |  |  |  |  |
+| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) |  |  |  |  |
+| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* |  |  |  |  |
+| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) |  |  |  |  |
+| [ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) |  |  |  |  |
+| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) |  |  | 1 |  |
+| [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) |  |  |  |  |
+| [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* |  |  |  |  |
+| [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* |  |  |  |  |
+| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) |  |  | 1 |  |
+| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) |  |  | 1 |  |
+| [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* |  |  |  |  |
+| [UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) |  |  |  |  |
+
+
+*\* New policy as of Windows 10, version 1809.*
+*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
+
+**Legend:**
+  = Supported
+
+---
+
+## Feature comparison of kiosk mode and kiosk browser app
+In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
+
+
+| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** |
+|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
+| Print support |  |  |
+| Multi-tab support |  |  |
+| Allow/Block URL support | 
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education |
+
+**\*Windows Defender Firewall**
Wildcards, like \*.microsoft.com, aren’t supported.
**To set up data collection using a zone allow list**
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
>**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md
index 3e22df673d..9e9f2933fe 100644
--- a/browsers/enterprise-mode/enterprise-mode.md
+++ b/browsers/enterprise-mode/enterprise-mode.md
@@ -5,7 +5,7 @@ ms.pagetype: security
description: Use this section to learn about how to turn on Enterprise Mode.
author: eavena
ms.author: eravena
-ms.prod: edge, ie11
+ms.prod: edge
ms.assetid:
ms.reviewer:
manager: dansimp
diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md
index 9d4ab636ca..0a0f72e971 100644
--- a/browsers/includes/helpful-topics-include.md
+++ b/browsers/includes/helpful-topics-include.md
@@ -24,7 +24,7 @@ ms.topic: include
- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
-- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx)
+- [Microsoft Services Support](https://www.microsoft.com/microsoftservices/support.aspx)
- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)
diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md
index 0fed701c19..c2812cb730 100644
--- a/browsers/internet-explorer/TOC.md
+++ b/browsers/internet-explorer/TOC.md
@@ -1,188 +1,188 @@
-#[IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
+# [IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
-##[Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md)
+## [Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md)
-##[System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md)
+## [System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md)
-##[List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md)
+## [List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md)
-##[Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md)
-###[Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md)
-####[Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md)
-####[Create packages for multiple operating systems or languages](ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md)
-####[Using .INF files to create packages](ie11-deploy-guide/using-inf-files-to-create-install-packages.md)
-###[Choose how to install Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-install-ie11.md)
-####[Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager](ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md)
-####[Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)](ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md)
-####[Install Internet Explorer 11 (IE11) - Microsoft Intune](ie11-deploy-guide/install-ie11-using-microsoft-intune.md)
-####[Install Internet Explorer 11 (IE11) - Network](ie11-deploy-guide/install-ie11-using-the-network.md)
-####[Install Internet Explorer 11 (IE11) - Operating system deployment systems](ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md)
-####[Install Internet Explorer 11 (IE11) - Third-party tools](ie11-deploy-guide/install-ie11-using-third-party-tools.md)
-###[Choose how to deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-deploy-ie11.md)
-####[Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md)
-####[Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md)
-###[Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md)
+## [Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md)
+### [Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md)
+#### [Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md)
+#### [Create packages for multiple operating systems or languages](ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md)
+#### [Using .INF files to create packages](ie11-deploy-guide/using-inf-files-to-create-install-packages.md)
+### [Choose how to install Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-install-ie11.md)
+#### [Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager](ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md)
+#### [Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)](ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md)
+#### [Install Internet Explorer 11 (IE11) - Microsoft Intune](ie11-deploy-guide/install-ie11-using-microsoft-intune.md)
+#### [Install Internet Explorer 11 (IE11) - Network](ie11-deploy-guide/install-ie11-using-the-network.md)
+#### [Install Internet Explorer 11 (IE11) - Operating system deployment systems](ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md)
+#### [Install Internet Explorer 11 (IE11) - Third-party tools](ie11-deploy-guide/install-ie11-using-third-party-tools.md)
+### [Choose how to deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-deploy-ie11.md)
+#### [Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md)
+#### [Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md)
+### [Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md)
-##[Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md)
+## [Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md)
-##[Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md)
-###[Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md)
-###[Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md)
-###[Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md)
-###[Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md)
-###[Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md)
-###[Enterprise Mode schema v.1 guidance](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md)
-###[Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md)
-###[Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md)
-###[Use the Enterprise Mode Site List Manager](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md)
-####[Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-####[Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
-####[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
-####[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
-####[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md)
-####[Fix validation problems using the Enterprise Mode Site List Manager](ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md)
-####[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-####[Save your site list to XML in the Enterprise Mode Site List Manager](ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md)
-####[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md)
-####[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
-####[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-####[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-###[Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
-####[Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
-#####[Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
-#####[Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md)
-####[Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md)
-#####[Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md)
-#####[Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md)
-#####[Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md)
-#####[Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md)
-#####[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md)
-#####[View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md)
-#####[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md)
-###[Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md)
-###[Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md)
-###[Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md)
-###[Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md)
-###[Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md)
+## [Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md)
+### [Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md)
+### [Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md)
+### [Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md)
+### [Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md)
+### [Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md)
+### [Enterprise Mode schema v.1 guidance](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md)
+### [Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md)
+### [Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md)
+### [Use the Enterprise Mode Site List Manager](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md)
+#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
+#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
+#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
+#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
+#### [Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md)
+#### [Fix validation problems using the Enterprise Mode Site List Manager](ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md)
+#### [Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+#### [Save your site list to XML in the Enterprise Mode Site List Manager](ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md)
+#### [Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md)
+#### [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
+#### [Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+#### [Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
+### [Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
+#### [Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
+##### [Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
+##### [Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md)
+#### [Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md)
+##### [Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md)
+##### [Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md)
+##### [Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md)
+##### [Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md)
+##### [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md)
+##### [View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md)
+##### [View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md)
+### [Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md)
+### [Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md)
+### [Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md)
+### [Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md)
+### [Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md)
-##[Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md)
-###[Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md)
-####[Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md)
-####[Group Policy and the Local Group Policy Editor](ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md)
-####[Group Policy and Advanced Group Policy Management (AGPM)](ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md)
-####[Group Policy and Windows Powershell](ie11-deploy-guide/group-policy-windows-powershell-ie11.md)
-####[Group Policy and Shortcut Extensions](ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md)
-###[New group policy settings for Internet Explorer 11](ie11-deploy-guide/new-group-policy-settings-for-ie11.md)
-###[Set the default browser using Group Policy](ie11-deploy-guide/set-the-default-browser-using-group-policy.md)
-###[ActiveX installation using group policy](ie11-deploy-guide/activex-installation-using-group-policy.md)
-###[Group Policy and compatibility with Internet Explorer 11](ie11-deploy-guide/group-policy-compatibility-with-ie11.md)
-###[Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md)
-###[Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md)
-###[Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md)
+## [Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md)
+### [Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md)
+#### [Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md)
+#### [Group Policy and the Local Group Policy Editor](ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md)
+#### [Group Policy and Advanced Group Policy Management (AGPM)](ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md)
+#### [Group Policy and Windows Powershell](ie11-deploy-guide/group-policy-windows-powershell-ie11.md)
+#### [Group Policy and Shortcut Extensions](ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md)
+### [New group policy settings for Internet Explorer 11](ie11-deploy-guide/new-group-policy-settings-for-ie11.md)
+### [Set the default browser using Group Policy](ie11-deploy-guide/set-the-default-browser-using-group-policy.md)
+### [ActiveX installation using group policy](ie11-deploy-guide/activex-installation-using-group-policy.md)
+### [Group Policy and compatibility with Internet Explorer 11](ie11-deploy-guide/group-policy-compatibility-with-ie11.md)
+### [Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md)
+### [Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md)
+### [Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md)
-##[Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md)
-###[Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md)
-###[Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md)
-###[Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md)
+## [Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md)
+### [Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md)
+### [Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md)
+### [Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md)
-##[Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md)
-###[Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md)
-###[Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md)
-###[Problems after installing Internet Explorer 11](ie11-deploy-guide/problems-after-installing-ie11.md)
-###[Auto configuration and auto proxy problems with Internet Explorer 11](ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md)
-###[User interface problems with Internet Explorer 11](ie11-deploy-guide/user-interface-problems-with-ie11.md)
-###[Group Policy problems with Internet Explorer 11](ie11-deploy-guide/group-policy-problems-ie11.md)
-###[.NET Framework problems with Internet Explorer 11](ie11-deploy-guide/net-framework-problems-with-ie11.md)
-###[Enhanced Protected Mode problems with Internet Explorer](ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md)
-###[Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md)
-###[Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md)
-###[Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md)
+## [Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md)
+### [Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md)
+### [Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md)
+### [Problems after installing Internet Explorer 11](ie11-deploy-guide/problems-after-installing-ie11.md)
+### [Auto configuration and auto proxy problems with Internet Explorer 11](ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md)
+### [User interface problems with Internet Explorer 11](ie11-deploy-guide/user-interface-problems-with-ie11.md)
+### [Group Policy problems with Internet Explorer 11](ie11-deploy-guide/group-policy-problems-ie11.md)
+### [.NET Framework problems with Internet Explorer 11](ie11-deploy-guide/net-framework-problems-with-ie11.md)
+### [Enhanced Protected Mode problems with Internet Explorer](ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md)
+### [Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md)
+### [Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md)
+### [Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md)
-##[Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md)
-###[Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md)
+## [Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md)
+### [Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md)
-##[Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md)
+## [Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md)
-##[What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md)
-###[Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
-###[Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md)
+## [What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md)
+### [Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
+### [Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md)
-##[Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md)
+## [Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md)
-##[Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md)
+## [Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md)
-##[Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md)
+## [Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md)
-#[IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md)
+# [IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md)
-#[Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md)
-##[What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md)
-##[Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md)
-##[Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md)
-###[Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md)
-###[Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md)
-###[Security features and IEAK 11](ie11-ieak/security-and-ieak11.md)
-###[File types used or created by IEAK 11](ie11-ieak/file-types-ieak11.md)
-###[Tasks and references to consider before creating and deploying custom packages using IEAK 11](ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md)
-###[Create the build computer folder structure using IEAK 11](ie11-ieak/create-build-folder-structure-ieak11.md)
-###[Set up auto detection for DHCP or DNS servers using IEAK 11](ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md)
-###[Use proxy auto-configuration (.pac) files with IEAK 11](ie11-ieak/proxy-auto-config-examples.md)
-###[Customize the toolbar button and Favorites List icons using IEAK 11](ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md)
-###[Use the uninstallation .INF files to uninstall custom components](ie11-ieak/create-uninstall-inf-files-for-custom-components.md)
-###[Add and approve ActiveX controls using the IEAK 11](ie11-ieak/add-and-approve-activex-controls-ieak11.md)
-###[Register an uninstall app for custom components using IEAK 11](ie11-ieak/register-uninstall-app-ieak11.md)
-###[Customize Automatic Search for Internet Explorer using IEAK 11](ie11-ieak/customize-automatic-search-for-ie.md)
-###[Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md)
-###[Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md)
-###[Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md)
-###[IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md)
-###[Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md)
+# [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md)
+## [What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md)
+## [Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md)
+## [Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md)
+### [Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md)
+### [Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md)
+### [Security features and IEAK 11](ie11-ieak/security-and-ieak11.md)
+### [File types used or created by IEAK 11](ie11-ieak/file-types-ieak11.md)
+### [Tasks and references to consider before creating and deploying custom packages using IEAK 11](ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md)
+### [Create the build computer folder structure using IEAK 11](ie11-ieak/create-build-folder-structure-ieak11.md)
+### [Set up auto detection for DHCP or DNS servers using IEAK 11](ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md)
+### [Use proxy auto-configuration (.pac) files with IEAK 11](ie11-ieak/proxy-auto-config-examples.md)
+### [Customize the toolbar button and Favorites List icons using IEAK 11](ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md)
+### [Use the uninstallation .INF files to uninstall custom components](ie11-ieak/create-uninstall-inf-files-for-custom-components.md)
+### [Add and approve ActiveX controls using the IEAK 11](ie11-ieak/add-and-approve-activex-controls-ieak11.md)
+### [Register an uninstall app for custom components using IEAK 11](ie11-ieak/register-uninstall-app-ieak11.md)
+### [Customize Automatic Search for Internet Explorer using IEAK 11](ie11-ieak/customize-automatic-search-for-ie.md)
+### [Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md)
+### [Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md)
+### [Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md)
+### [IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md)
+### [Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md)
-##[Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md)
-###[Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md)
-###[Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md)
-###[Use the Language Selection page in the IEAK 11 Wizard](ie11-ieak/language-selection-ieak11-wizard.md)
-###[Use the Package Type Selection page in the IEAK 11 Wizard](ie11-ieak/pkg-type-selection-ieak11-wizard.md)
-###[Use the Feature Selection page in the IEAK 11 Wizard](ie11-ieak/feature-selection-ieak11-wizard.md)
-###[Use the Automatic Version Synchronization page in the IEAK 11 Wizard](ie11-ieak/auto-version-sync-ieak11-wizard.md)
-###[Use the Custom Components page in the IEAK 11 Wizard](ie11-ieak/custom-components-ieak11-wizard.md)
-###[Use the Internal Install page in the IEAK 11 Wizard](ie11-ieak/internal-install-ieak11-wizard.md)
-###[Use the User Experience page in the IEAK 11 Wizard](ie11-ieak/user-experience-ieak11-wizard.md)
-###[Use the Browser User Interface page in the IEAK 11 Wizard](ie11-ieak/browser-ui-ieak11-wizard.md)
-###[Use the Search Providers page in the IEAK 11 Wizard](ie11-ieak/search-providers-ieak11-wizard.md)
-###[Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md)
-###[Use the Accelerators page in the IEAK 11 Wizard](ie11-ieak/accelerators-ieak11-wizard.md)
-###[Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md)
-###[Use the Browsing Options page in the IEAK 11 Wizard](ie11-ieak/browsing-options-ieak11-wizard.md)
-###[Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md)
-###[Use the Compatibility View page in the IEAK 11 Wizard](ie11-ieak/compat-view-ieak11-wizard.md)
-###[Use the Connection Manager page in the IEAK 11 Wizard](ie11-ieak/connection-mgr-ieak11-wizard.md)
-###[Use the Connection Settings page in the IEAK 11 Wizard](ie11-ieak/connection-settings-ieak11-wizard.md)
-###[Use the Automatic Configuration page in the IEAK 11 Wizard](ie11-ieak/auto-config-ieak11-wizard.md)
-###[Use the Proxy Settings page in the IEAK 11 Wizard](ie11-ieak/proxy-settings-ieak11-wizard.md)
-###[Use the Security and Privacy Settings page in the IEAK 11 Wizard](ie11-ieak/security-and-privacy-settings-ieak11-wizard.md)
-###[Use the Add a Root Certificate page in the IEAK 11 Wizard](ie11-ieak/add-root-certificate-ieak11-wizard.md)
-###[Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md)
-###[Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md)
-###[Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md)
+## [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md)
+### [Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md)
+### [Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md)
+### [Use the Language Selection page in the IEAK 11 Wizard](ie11-ieak/language-selection-ieak11-wizard.md)
+### [Use the Package Type Selection page in the IEAK 11 Wizard](ie11-ieak/pkg-type-selection-ieak11-wizard.md)
+### [Use the Feature Selection page in the IEAK 11 Wizard](ie11-ieak/feature-selection-ieak11-wizard.md)
+### [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](ie11-ieak/auto-version-sync-ieak11-wizard.md)
+### [Use the Custom Components page in the IEAK 11 Wizard](ie11-ieak/custom-components-ieak11-wizard.md)
+### [Use the Internal Install page in the IEAK 11 Wizard](ie11-ieak/internal-install-ieak11-wizard.md)
+### [Use the User Experience page in the IEAK 11 Wizard](ie11-ieak/user-experience-ieak11-wizard.md)
+### [Use the Browser User Interface page in the IEAK 11 Wizard](ie11-ieak/browser-ui-ieak11-wizard.md)
+### [Use the Search Providers page in the IEAK 11 Wizard](ie11-ieak/search-providers-ieak11-wizard.md)
+### [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md)
+### [Use the Accelerators page in the IEAK 11 Wizard](ie11-ieak/accelerators-ieak11-wizard.md)
+### [Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md)
+### [Use the Browsing Options page in the IEAK 11 Wizard](ie11-ieak/browsing-options-ieak11-wizard.md)
+### [Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md)
+### [Use the Compatibility View page in the IEAK 11 Wizard](ie11-ieak/compat-view-ieak11-wizard.md)
+### [Use the Connection Manager page in the IEAK 11 Wizard](ie11-ieak/connection-mgr-ieak11-wizard.md)
+### [Use the Connection Settings page in the IEAK 11 Wizard](ie11-ieak/connection-settings-ieak11-wizard.md)
+### [Use the Automatic Configuration page in the IEAK 11 Wizard](ie11-ieak/auto-config-ieak11-wizard.md)
+### [Use the Proxy Settings page in the IEAK 11 Wizard](ie11-ieak/proxy-settings-ieak11-wizard.md)
+### [Use the Security and Privacy Settings page in the IEAK 11 Wizard](ie11-ieak/security-and-privacy-settings-ieak11-wizard.md)
+### [Use the Add a Root Certificate page in the IEAK 11 Wizard](ie11-ieak/add-root-certificate-ieak11-wizard.md)
+### [Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md)
+### [Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md)
+### [Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md)
-##[Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md)
-###[Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md)
-###[Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md)
-###[Use the CabSigning .INS file to review the digital signatures for your apps](ie11-ieak/cabsigning-ins-file-setting.md)
-###[Use the ConnectionSettings .INS file to review the network connections for install](ie11-ieak/connectionsettings-ins-file-setting.md)
-###[Use the CustomBranding .INS file to specify the custom branding location](ie11-ieak/custombranding-ins-file-setting.md)
-###[Use the ExtRegInf .INS file to specify installation files and mode](ie11-ieak/extreginf-ins-file-setting.md)
-###[Use the FavoritesEx .INS file for your Favorites icon and URLs](ie11-ieak/favoritesex-ins-file-setting.md)
-###[Use the HideCustom .INS file to hide GUIDs](ie11-ieak/hidecustom-ins-file-setting.md)
-###[Use the ISP_Security .INS file to add your root certificate](ie11-ieak/isp-security-ins-file-setting.md)
-###[Use the Media .INS file to specify your install media](ie11-ieak/media-ins-file-setting.md)
-###[Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md)
-###[Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md)
-###[Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md)
+## [Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md)
+### [Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md)
+### [Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md)
+### [Use the CabSigning .INS file to review the digital signatures for your apps](ie11-ieak/cabsigning-ins-file-setting.md)
+### [Use the ConnectionSettings .INS file to review the network connections for install](ie11-ieak/connectionsettings-ins-file-setting.md)
+### [Use the CustomBranding .INS file to specify the custom branding location](ie11-ieak/custombranding-ins-file-setting.md)
+### [Use the ExtRegInf .INS file to specify installation files and mode](ie11-ieak/extreginf-ins-file-setting.md)
+### [Use the FavoritesEx .INS file for your Favorites icon and URLs](ie11-ieak/favoritesex-ins-file-setting.md)
+### [Use the HideCustom .INS file to hide GUIDs](ie11-ieak/hidecustom-ins-file-setting.md)
+### [Use the ISP_Security .INS file to add your root certificate](ie11-ieak/isp-security-ins-file-setting.md)
+### [Use the Media .INS file to specify your install media](ie11-ieak/media-ins-file-setting.md)
+### [Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md)
+### [Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md)
+### [Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md)
-##[IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md)
-###[IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
-###[Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
+## [IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md)
+### [IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
+### [Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 153f4be5f1..934ad0e5f6 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -24,10 +24,11 @@
"globalMetadata": {
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
- "ms.author": "shortpatti",
- "author": "eross-msft",
+ "audience": "ITPro",
"ms.technology": "internet-explorer",
+ "ms.prod": "ie11",
"ms.topic": "article",
+ "manager": "laurawi",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index a430073e9d..563f38160c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -25,7 +25,7 @@ Before you install Internet Explorer 11, you should:
- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune).
+ - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
- **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index aaabccc9ae..12049fdcb9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -1,482 +1,483 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
-author: dansimp
-ms.prod: ie11
-ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Collect data using Enterprise Site Discovery
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-# Collect data using Enterprise Site Discovery
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7 with Service Pack 1 (SP1)
-
-Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
-
->**Upgrade Readiness and Windows upgrades**
->You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-
-## Before you begin
-Before you start, you need to make sure you have the following:
-
-- Latest cumulative security update (for all supported versions of Internet Explorer):
-
- 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
-
- 
-
- 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
-
- 
-
- 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
-
-- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including:
-
- - Configuration-related PowerShell scripts
-
- - IETelemetry.mof file
-
- - Sample System Center 2012 report templates
-
- You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
-
-Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts.
-
-## What data is collected?
-Data is collected on the configuration characteristics of IE and the sites it browses, as shown here.
-
-|Data point |IE11 |IE10 |IE9 |IE8 |Description |
-|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
-|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
-|Domain | X | X | X | X |Top-level domain of the browsed site. |
-|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
-|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
-|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
-|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
-|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
-|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
-|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
-|Number of visits | X | X | X | X |Number of times a site has been visited. |
-|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
-
-
->**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-### Understanding the returned reason codes
-The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
-
-#### DocMode reason
-The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
-|4 |Page is using an X-UA-compatible meta tag. |
-|5 |Page is using an X-UA-compatible HTTP header. |
-|6 |Page appears on an active **Compatibility View** list. |
-|7 |Page is using native XML parsing. |
-|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
-|9 |Page state is set by the browser mode and the page's DOCTYPE.|
-
-#### Browser state reason
-The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
-|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
-|3 |Site appears on an active **Compatibility View** list, created by the user. |
-|4 |Page is using an X-UA-compatible tag. |
-|5 |Page state is set by the **Developer** toolbar. |
-|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
-|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
-|8 |Site appears on the **Quirks** list, created in Group Policy. |
-|11 |Site is using the default browser. |
-
-#### Zone
-The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
-
-|Code |Description |
-|-----|------------|
-|-1 |Internet Explorer is using an invalid zone. |
-|0 |Internet Explorer is using the Local machine zone. |
-|1 |Internet Explorer is using the Local intranet zone. |
-|2 |Internet Explorer is using the Trusted sites zone. |
-|3 |Internet Explorer is using the Internet zone. |
-|4 |Internet Explorer is using the Restricted sites zone. |
-
-## Where is the data stored and how do I collect it?
-The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
-
-- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer.
-
-- **XML file**. Any agent that works with XML can be used.
-
-## WMI Site Discovery suggestions
-We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
-
-On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
-
-## Getting ready to use Enterprise Site Discovery
-Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
-
-**To set up Enterprise Site Discovery**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
-
-### WMI only: Set up your firewall for WMI data
-If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
-
-**To set up your firewall**
-
-1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
-
-2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
-
-3. Restart your computer to start collecting your WMI data.
-
-## Use PowerShell to finish setting up Enterprise Site Discovery
-You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
-
->**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
-
-- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
-
-- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
-
-**To set up data collection using a domain allow list**
-
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
-
- >**Important**
Wildcards, like \*.microsoft.com, aren’t supported.
-
-**To set up data collection using a zone allow list**
-
- - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
-
- >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
-
-## Use Group Policy to finish setting up Enterprise Site Discovery
-You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
-
->**Note**
All of the Group Policy settings can be used individually or as a group.
-
- **To set up Enterprise Site Discovery using Group Policy**
-
-- Open your Group Policy editor, and go to these new settings:
-
- |Setting name and location |Description |Options |
- |---------------------------|-------------|---------|
- |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |
|
- |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
|
- |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone |
- |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com |
-
-### Combining WMI and XML Group Policy settings
-You can use both the WMI and XML settings individually or together:
-
-**To turn off Enterprise Site Discovery**
-
-
-
-**Turn on WMI recording only**
-
-
- Setting name
- Option
-
-
- Turn on Site Discovery WMI output
- Off
-
-
-Turn on Site Discovery XML output
- Blank
-
-
-
-**To turn on XML recording only**
-
-
- Setting name
- Option
-
-
- Turn on Site Discovery WMI output
- On
-
-
-Turn on Site Discovery XML output
- Blank
-
-
-
-To turn on both WMI and XML recording
-
-
- Setting name
- Option
-
-
- Turn on Site Discovery WMI output
- Off
-
-
-Turn on Site Discovery XML output
- XML file path
-
-
-
-## Use Configuration Manager to collect your data
-After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
-
-- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
-
- Setting name
- Option
-
-
- Turn on Site Discovery WMI output
- On
-
-
-Turn on Site Discovery XML output
- XML file path
-
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the MOF Editor with a .MOF import file
-You can collect your hardware inventory using the MOF Editor and a .MOF import file.
-
- **To collect your inventory**
-
-1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
-
-2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**.
-
-3. Pick the inventory items to install, and then click **Import**.
-
-4. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports.
-
-### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
-
-**To collect your inventory**
-
-1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-## Turn off data collection on your client devices
-After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
-
-**To stop collecting data, using PowerShell**
-
-- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`.
-
- >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
-
-
-**To stop collecting data, using Group Policy**
-
-1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
-
-2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location.
-
-### Delete already stored data from client computers
-You can completely remove the data stored on your employee’s computers.
-
-**To delete all existing data**
-
-- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo`
-
- - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo`
-
- - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
-
-## Related topics
-* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
-* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
+author: dansimp
+ms.prod: ie11
+ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Collect data using Enterprise Site Discovery
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Collect data using Enterprise Site Discovery
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7 with Service Pack 1 (SP1)
+
+Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
+
+>**Upgrade Readiness and Windows upgrades**
+>You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+
+## Before you begin
+Before you start, you need to make sure you have the following:
+
+- Latest cumulative security update (for all supported versions of Internet Explorer):
+
+ 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
+
+ 
+
+ 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
+
+ 
+
+ 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
+
+- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including:
+
+ - Configuration-related PowerShell scripts
+
+ - IETelemetry.mof file
+
+ - Sample System Center 2012 report templates
+
+ You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
+
+Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts.
+
+## What data is collected?
+Data is collected on the configuration characteristics of IE and the sites it browses, as shown here.
+
+|Data point |IE11 |IE10 |IE9 |IE8 |Description |
+|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
+|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
+|Domain | X | X | X | X |Top-level domain of the browsed site. |
+|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
+|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
+|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
+|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
+|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
+|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
+|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
+|Number of visits | X | X | X | X |Number of times a site has been visited. |
+|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
+
+
+>**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+
+### Understanding the returned reason codes
+The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
+
+#### DocMode reason
+The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
+|4 |Page is using an X-UA-compatible meta tag. |
+|5 |Page is using an X-UA-compatible HTTP header. |
+|6 |Page appears on an active **Compatibility View** list. |
+|7 |Page is using native XML parsing. |
+|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
+|9 |Page state is set by the browser mode and the page's DOCTYPE.|
+
+#### Browser state reason
+The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
+|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
+|3 |Site appears on an active **Compatibility View** list, created by the user. |
+|4 |Page is using an X-UA-compatible tag. |
+|5 |Page state is set by the **Developer** toolbar. |
+|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
+|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
+|8 |Site appears on the **Quirks** list, created in Group Policy. |
+|11 |Site is using the default browser. |
+
+#### Zone
+The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|-1 |Internet Explorer is using an invalid zone. |
+|0 |Internet Explorer is using the Local machine zone. |
+|1 |Internet Explorer is using the Local intranet zone. |
+|2 |Internet Explorer is using the Trusted sites zone. |
+|3 |Internet Explorer is using the Internet zone. |
+|4 |Internet Explorer is using the Restricted sites zone. |
+
+## Where is the data stored and how do I collect it?
+The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
+
+- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer.
+
+- **XML file**. Any agent that works with XML can be used.
+
+## WMI Site Discovery suggestions
+We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
+
+On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+
+## Getting ready to use Enterprise Site Discovery
+Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
+
+- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
+
+**To set up Enterprise Site Discovery**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
+
+### WMI only: Set up your firewall for WMI data
+If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
+
+**To set up your firewall**
+
+1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
+
+2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
+
+3. Restart your computer to start collecting your WMI data.
+
+## Use PowerShell to finish setting up Enterprise Site Discovery
+You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
+
+>**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
+
+- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
+
+- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
+
+**To set up data collection using a domain allow list**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
+
+ >**Important**
Wildcards, like \*.microsoft.com, aren’t supported.
+
+**To set up data collection using a zone allow list**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
+
+ >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
+
+## Use Group Policy to finish setting up Enterprise Site Discovery
+You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
+
+>**Note**
All of the Group Policy settings can be used individually or as a group.
+
+ **To set up Enterprise Site Discovery using Group Policy**
+
+- Open your Group Policy editor, and go to these new settings:
+
+ |Setting name and location |Description |Options |
+ |---------------------------|-------------|---------|
+ |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |
|
+ |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
|
+ |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone |
+ |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com |
+
+### Combining WMI and XML Group Policy settings
+You can use both the WMI and XML settings individually or together:
+
+**To turn off Enterprise Site Discovery**
+
+
+
+**Turn on WMI recording only**
+
+
+ Setting name
+ Option
+
+
+ Turn on Site Discovery WMI output
+ Off
+
+
+Turn on Site Discovery XML output
+ Blank
+
+
+
+**To turn on XML recording only**
+
+
+ Setting name
+ Option
+
+
+ Turn on Site Discovery WMI output
+ On
+
+
+Turn on Site Discovery XML output
+ Blank
+
+
+
+To turn on both WMI and XML recording
+
+
+ Setting name
+ Option
+
+
+ Turn on Site Discovery WMI output
+ Off
+
+
+Turn on Site Discovery XML output
+ XML file path
+
+
+
+## Use Configuration Manager to collect your data
+After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
+
+- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
+
+ Setting name
+ Option
+
+
+ Turn on Site Discovery WMI output
+ On
+
+
+Turn on Site Discovery XML output
+ XML file path
+
+Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+### Collect your hardware inventory using the MOF Editor with a .MOF import file
+You can collect your hardware inventory using the MOF Editor and a .MOF import file.
+
+ **To collect your inventory**
+
+1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
+
+2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**.
+
+3. Pick the inventory items to install, and then click **Import**.
+
+4. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
+
+**To collect your inventory**
+
+1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+## Turn off data collection on your client devices
+After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
+
+**To stop collecting data, using PowerShell**
+
+- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`.
+
+ >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
+
+
+**To stop collecting data, using Group Policy**
+
+1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
+
+2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location.
+
+### Delete already stored data from client computers
+You can completely remove the data stored on your employee’s computers.
+
+**To delete all existing data**
+
+- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo`
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo`
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo`
+
+ - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
+
+## Related topics
+* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
+* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 3e8e129b3d..292c85b771 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -30,10 +30,10 @@ If you don't want to use the Enterprise Mode Site List Manager, you also have th
## Enterprise Mode schema v.1 example
The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1.
-**Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `
-If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-## Enterprise Mode schema v.2 updates
-Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by:
-
-- <rules>. If your schema root node includes this key, you're using the v.1 version of the schema.
-
-- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema.
-
-You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, saving the v.1 version of the schema in the new Enterprise Mode Site List Manager (schema v.2) automatically updates the file to use the v.2 version of the schema.
-
-### Enterprise Mode v.2 schema example
-The following is an example of the v.2 version of the Enterprise Mode schema.
-
-**Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `
-
-
-
-### Updated schema attributes
-The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
-
-
-
-
-
-Element
-Description
-Supported browser
-
-
-<site-list>
-A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
-
-
-<site-list version="205">
- <site url="contoso.com">
- <compat-mode>IE8Enterprise</compat-mode>
- <open-in>IE11</open-in>
- </site>
-</site-list>
Internet Explorer 11 and Microsoft Edge
-
-
-<site>
-A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
-
-
-<site url="contoso.com">
- <compat-mode>default</compat-mode>
- <open-in>none</open-in>
-</site>
--or-
-<site url="10.122.34.99:8080">
- <compat-mode>IE8Enterprise</compat-mode>
-<site>
<site url="[10.122.34.99]:8080">
- <compat-mode>IE8Enterprise</compat-mode>
-<site>
-
Internet Explorer 11 and Microsoft Edge
-
-
-<compat-mode>
-A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
-
-
-<site url="contoso.com">
- <compat-mode>IE8Enterprise</compat-mode>
-</site>
--or-
-<site url="10.122.34.99:8080">
- <compat-mode>IE8Enterprise</compat-mode>
-<site>
<site url="[10.122.34.99]:8080">
- <compat-mode>IE8Enterprise</compat-mode>
-<site>
-
This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
This tag replaces the combination of the "forceCompatView"="true" attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.Internet Explorer 11
-
-
-<open-in>
-A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
-
-
-<site url="contoso.com">
- <open-in>none</open-in>
-</site>
-
Internet Explorer 11 and Microsoft Edge
-
-
-
-
-### Deprecated attributes
-These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
-
-
-
-
-
-Attribute
-Description
-Supported browser
-
-
-allow-redirect
-A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
-
-
-<site url="contoso.com/travel">
- <open-in allow-redirect="true">IE11</open-in>
-</site>
-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.Internet Explorer 11 and Microsoft Edge
-
-
-version
-Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.
-Internet Explorer 11 and Microsoft Edge
-
-
-url
-Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
-
-
Note
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.
-
-<site url="contoso.com:8080">
- <compat-mode>IE8Enterprise</compat-mode>
- <open-in>IE11</open-in>
-</site>
-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.Internet Explorer 11 and Microsoft Edge
-
-
-
-
-While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
-
-**Important**
-
-
-
-Deprecated attribute
-New attribute
-Replacement example
-
-
-<forceCompatView>
-<compat-mode>
-Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>
-
-
-<docMode>
-<compat-mode>
-Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>
-
-
-<doNotTransition>
-<open-in>
-Replace <doNotTransition="true"> with <open-in>none</open-in>
-
-
-<domain> and <path>
-<site>
-Replace:
-
-
-<emie>
- <domain exclude="false">contoso.com</domain>
-</emie>
-With:
-
-<site url="contoso.com"/>
- <compat-mode>IE8Enterprise</compat-mode>
-</site>
--AND-
-<emie>
- <domain exclude="true">contoso.com
- <path exclude="false" forceCompatView="true">/about</path>
- </domain>
-</emie>
-With:
-
-<site url="contoso.com/about">
- <compat-mode>IE7Enterprise</compat-mode>
-</site>
-Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema.
-
-### What not to include in your schema
-We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
-
-- Don’t use protocols. For example, https://, https://, or custom protocols. They break parsing.
-- Don’t use wildcards.
-- Don’t use query strings, ampersands break parsing.
-
-## Related topics
-- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
+author: lomayor
+ms.prod: ie11
+ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: lomayor
+title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 12/04/2017
+---
+
+
+# Enterprise Mode schema v.2 guidance
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+
+Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
+
+> [!IMPORTANT]
+> If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+## Enterprise Mode schema v.2 updates
+Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by:
+
+- <rules>. If your schema root node includes this key, you're using the v.1 version of the schema.
+
+- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema.
+
+You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, saving the v.1 version of the schema in the new Enterprise Mode Site List Manager (schema v.2) automatically updates the file to use the v.2 version of the schema.
+
+### Enterprise Mode v.2 schema example
+The following is an example of the v.2 version of the Enterprise Mode schema.
+
+> [!IMPORTANT]
+> Make sure that you don't specify a protocol when adding your URLs. Using a URL like `
+
+
+
+### Updated schema attributes
+The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
+
+
+
+
+
+Element
+Description
+Supported browser
+
+
+<site-list>
+A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
+
+
+<site-list version="205">
+ <site url="contoso.com">
+ <compat-mode>IE8Enterprise</compat-mode>
+ <open-in>IE11</open-in>
+ </site>
+</site-list>
Internet Explorer 11 and Microsoft Edge
+
+
+<site>
+A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
+
+
+<site url="contoso.com">
+ <compat-mode>default</compat-mode>
+ <open-in>none</open-in>
+</site>
+-or-
+<site url="10.122.34.99:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+<site>
<site url="[10.122.34.99]:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+<site>
+
Internet Explorer 11 and Microsoft Edge
+
+
+<compat-mode>
+A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
+
+
+<site url="contoso.com">
+ <compat-mode>IE8Enterprise</compat-mode>
+</site>
+-or-
+<site url="10.122.34.99:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+<site>
<site url="[10.122.34.99]:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+<site>
+
This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
This tag replaces the combination of the "forceCompatView"="true" attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.Internet Explorer 11
+
+
+<open-in>
+A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
+
+
+<site url="contoso.com">
+ <open-in>none</open-in>
+</site>
+
Internet Explorer 11 and Microsoft Edge
+
+
+
+
+### Deprecated attributes
+These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
+
+
+
+
+
+Attribute
+Description
+Supported browser
+
+
+allow-redirect
+A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
+
+
+<site url="contoso.com/travel">
+ <open-in allow-redirect="true">IE11</open-in>
+</site>
+In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.Internet Explorer 11 and Microsoft Edge
+
+
+version
+Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.
+Internet Explorer 11 and Microsoft Edge
+
+
+url
+Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
+
+
Note
+Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com.
+
+<site url="contoso.com:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+ <open-in>IE11</open-in>
+</site>
+In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.Internet Explorer 11 and Microsoft Edge
+
+
+
+
+While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
+
+> [!IMPORTANT]
+> Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema.
+
+### What not to include in your schema
+We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
+
+- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing.
+- Don’t use wildcards.
+- Don’t use query strings, ampersands break parsing.
+
+## Related topics
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index 859cf8fbb7..7fc2191028 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -33,7 +33,7 @@ From AGPM you can:
- **Manage your GPO lifecycle with change control features.** You can use the available version-control, history, and auditing features to help you manage your GPOs while moving through your archive, to your editing process, and finally to your GPO deployment.
**Note**
+
+
+
+Deprecated attribute
+New attribute
+Replacement example
+
+
+<forceCompatView>
+<compat-mode>
+Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>
+
+
+<docMode>
+<compat-mode>
+Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>
+
+
+<doNotTransition>
+<open-in>
+Replace <doNotTransition="true"> with <open-in>none</open-in>
+
+
+<domain> and <path>
+<site>
+Replace:
+
+
+<emie>
+ <domain exclude="false">contoso.com</domain>
+</emie>
+With:
+
+<site url="contoso.com"/>
+ <compat-mode>IE8Enterprise</compat-mode>
+</site>
+-AND-
+<emie>
+ <domain exclude="true">contoso.com
+ <path exclude="false" forceCompatView="true">/about</path>
+ </domain>
+</emie>
+With:
+
+<site url="contoso.com/about">
+ <compat-mode>IE7Enterprise</compat-mode>
+</site>
-For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/en-us/download/details.aspx?id=13975).
+For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/download/details.aspx?id=13975).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 6d5935a29b..d2bc3fa2d1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -1,13 +1,14 @@
---
ms.mktglfcycl: deploy
description: Use this guide to learn about the several options and processes you'll need to consider while you're planning for, deploying, and customizing Internet Explorer 11 for your employee's devices.
-author: shortpatti
+author: lomayor
+ms.author: lomayor
ms.prod: ie11
ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3
title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.localizationpriority: medium
-ms.date: 07/27/2017
+manager: dansimp
---
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index e93450be88..25226f2ad0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -1,54 +1,54 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
-author: lomayor
-ms.prod: ie11
-ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Install Internet Explorer 11 (IE11) using Microsoft Intune
-Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
-
-## Adding and deploying the IE11 package
-You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
-
- **To add the IE11 package**
-
-1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher.
-
-2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi).
-
-For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-
- **To automatically deploy and install the IE11 package**
-
-1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard.
-
-2. Deploy the package to any of your employee computers that are managed by Microsoft Intune.
-
-3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard.
-
-For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
-
- **To let your employees install the IE11 package**
-
-1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups.
-
-2. Any employee in the assigned group can now install the package.
-
-For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808)
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
+author: lomayor
+ms.prod: ie11
+ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616
+ms.reviewer:
+manager: dansimp
+ms.author: lomayor
+title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Install Internet Explorer 11 (IE11) using Microsoft Intune
+Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
+
+## Adding and deploying the IE11 package
+You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
+
+ **To add the IE11 package**
+
+1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher.
+
+2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi).
+
+For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
+
+ **To automatically deploy and install the IE11 package**
+
+1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard.
+
+2. Deploy the package to any of your employee computers that are managed by Microsoft Intune.
+
+3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard.
+
+For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
+
+ **To let your employees install the IE11 package**
+
+1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups.
+
+2. Any employee in the assigned group can now install the package.
+
+For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808)
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index 00029e6c5b..a4ca6348ac 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -127,7 +127,7 @@ We recommend that enterprise customers focus their new development on establishe
- [Document modes](https://msdn.microsoft.com/library/dn384051(v=vs.85).aspx)
- [What is Enterprise Mode?](what-is-enterprise-mode.md)
- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
-- [Enterprise Site Discovery Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=44570)
+- [Enterprise Site Discovery Toolkit](https://www.microsoft.com/download/details.aspx?id=44570)
- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)
- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 0212685d25..0f89abe875 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -163,6 +163,6 @@ Because the tool is open-source, the source code is readily available for examin
- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
-- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx)
+- [Microsoft Services Support](https://www.microsoft.com/microsoftservices/support.aspx)
- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index c1f405ec66..d96bb1744c 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -1,51 +1,52 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section.
-author: lomayor
-ms.prod: ie111
-ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Browsing Options page in the IEAK 11 Wizard
-The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items.
-
-The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
-
-**To use the Browsing Options page**
-
-1. Decide how you want to manage links that are already installed on your employee’s computer:
-
- - **Delete all existing items under Favorites, Favorites Bar and Feeds.** Removes all of the links, Web Slices, feeds, and Accelerators on the computer. This includes links and favorites added by you or the employee. Because this removes everything, we recommend that you use this option with caution.
-
- - **Only delete the items created by the administrator.** Removes only the items that you added for your employees on the **Favorites, Favorites Bar and Feeds** page.
-
- - **Don’t delete any items.** Doesn’t remove anything. Links Web Slices, feeds, and Accelerators are added to your employee computers at the top of the list, in the order you picked on the **Favorites, Favorites Bar and Feeds** page.
-
-2. Decide if you don’t want to add the Microsoft-default items:
-
- - **Favorites.** Checking this box won’t add the Microsoft-defined links.
-
- - **Web Slices and Links.** Checking this box won’t add the Microsoft-defined Web Slices or links.
-
- - **Feeds.** Checking this box won’t add the Microsoft-defined RSS feeds.
-
- - **Accelerators.** Checking this box won’t add the Microsoft-defined Accelerators.
-
-3. Click **Next** to go to the [First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) page or **Back** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section.
+author: lomayor
+ms.prod: ie11
+ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: lomayor
+title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Browsing Options page in the IEAK 11 Wizard
+The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items.
+
+The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
+
+**To use the Browsing Options page**
+
+1. Decide how you want to manage links that are already installed on your employee’s computer:
+
+ - **Delete all existing items under Favorites, Favorites Bar and Feeds.** Removes all of the links, Web Slices, feeds, and Accelerators on the computer. This includes links and favorites added by you or the employee. Because this removes everything, we recommend that you use this option with caution.
+
+ - **Only delete the items created by the administrator.** Removes only the items that you added for your employees on the **Favorites, Favorites Bar and Feeds** page.
+
+ - **Don’t delete any items.** Doesn’t remove anything. Links Web Slices, feeds, and Accelerators are added to your employee computers at the top of the list, in the order you picked on the **Favorites, Favorites Bar and Feeds** page.
+
+2. Decide if you don’t want to add the Microsoft-default items:
+
+ - **Favorites.** Checking this box won’t add the Microsoft-defined links.
+
+ - **Web Slices and Links.** Checking this box won’t add the Microsoft-defined Web Slices or links.
+
+ - **Feeds.** Checking this box won’t add the Microsoft-defined RSS feeds.
+
+ - **Accelerators.** Checking this box won’t add the Microsoft-defined Accelerators.
+
+3. Click **Next** to go to the [First Run Wizard and Welcome Page Options](first-run-and-welcome-page-ieak11-wizard.md) page or **Back** to go to the [Favorites, Favorites Bar, and Feeds](favorites-favoritesbar-and-feeds-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index 78294cd509..0790851097 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -1,64 +1,64 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company.
-author: lomayor
-ms.prod: ie11
-ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Use the Feature Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Feature Selection page in the IEAK 11 Wizard
-The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including:
-
-- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics.
-
-- **Internal Install.** Lets you decide to install the latest updates, run the malicious Software Removal Tool, and set IE11 as the default browser.
-
-- **Connection Manager.** Lets you import your Connection Manager Profiles, created by the Connection Manager Administration Kit (CMAK).
-
-- **Browser User Interface.** Lets you change the toolbar buttons, the title bar, and the general look of the browser.
-
-- **Search Providers.** Lets you add, remove, and pick a new default search provider for IE11.
-
-- **Important URLs – Home Page and Support.** Lets you choose multiple **Home** pages that open in different tabs in IE. You can also use this page to change the **Welcome** and **Online Support** pages.
-
-- **Accelerators.** Lets you import, add, edit, or remove Accelerators, the contextual services that give you quick access to external services from any webpage.
-
-- **Favorites, Favorites Bar, and Feeds.** Lets you pick which favorites, web slices, and feeds are installed with your custom installation package.
-
-- **Browsing Options.** Lets you pick how you delete items in the Favorites, Favorites Bar, and Feeds folders, and whether to add the Microsoft default items.
-
-- **Compatibility View.** Lets you decide whether IE renders content using compatibility mode or standards mode.
-
-- **Connections Customization.** Lets you set up and deploy custom connections.
-
-- **Security Zones and Content Ratings.** Lets you control what your employees can view and what’s downloaded to their computer.
-
-- **Programs.** Lets you pick the default program that’s used automatically by email, HTML, newsgroups, Internet calls, calendars, and contact lists.
-
-- **Additional Settings.** Lets you pre-set and lockdown specific functionality on your employee’s computer.
-
-**Note**
Your choices on this page determine what wizard pages appear.
-
-**To use the Feature Selection page**
-
-1. Check the box next to each feature you want to include in your custom installation package.
Your choices on this page determine what wizard pages appear.
+
+**To use the Feature Selection page**
+
+1. Check the box next to each feature you want to include in your custom installation package.
To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md).
-
-2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
+author: lomayor
+ms.prod: ie11
+ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218
+ms.reviewer:
+manager: dansimp
+ms.author: lomayor
+title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Platform Selection page in the IEAK 11 Wizard
+The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
+
+**To use the Platform Selection page**
+
+1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.
To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md).
+
+2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index a4d2c384bb..8b0ff1ece4 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -1,39 +1,39 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
-author: lomayor
-ms.prod: ie11
-ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: lomayor
-title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Programs page in the IEAK 11 Wizard
-The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
-
-**Important**
The customizations you make on this page only apply to Internet Explorer for the desktop.
-
-**To use the Programs page**
-
-1. Determine whether you want to customize your connection settings. You can pick:
-
- - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.
If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes.
-
-2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
+author: lomayor
+ms.prod: ie11
+ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc
+ms.reviewer:
+manager: dansimp
+ms.author: lomayor
+title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Programs page in the IEAK 11 Wizard
+The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
+
+**Important**
The customizations you make on this page only apply to Internet Explorer for the desktop.
+
+**To use the Programs page**
+
+1. Determine whether you want to customize your connection settings. You can pick:
+
+ - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.
If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes.
+
+2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md
index c2dbda0086..ad64db8744 100644
--- a/browsers/internet-explorer/index.md
+++ b/browsers/internet-explorer/index.md
@@ -2,7 +2,7 @@
ms.mktglfcycl: deploy
description: The landing page for IE11 that lets you access the documentation.
author: shortpatti
-ms.prod: IE11
+ms.prod: ie11
title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
ms.sitesec: library
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index d50c95d74f..fe85d293be 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,34 +1,45 @@
-# [Microsoft HoloLens](index.md)
-# [What's new in HoloLens](hololens-whats-new.md)
-# [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
-# [Set up HoloLens](hololens-setup.md)
+# [HoloLens overview](index.md)
+# [Hololens status](hololens-status.md)
-# Device Management
-## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
+# Get started with HoloLens (gen 1)
+## [Start your HoloLens (1st gen) for the first time](hololens-start.md)
## [Install localized version of HoloLens](hololens-install-localized.md)
+
+# Get started with HoloLens in commercial environments
+## [Overview and deployment planning](hololens-requirements.md)
+## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
-## [Manage updates to HoloLens](hololens-updates.md)
-## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
-## [Use the HoloLens Clicker](hololens-clicker.md)
-## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md)
-## [Restart or recover the HoloLens clicker](hololens-clicker-restart-recover.md)
+## [Set up ring based updates for HoloLens](hololens-updates.md)
+## [Manage custom enterprise apps](hololens-install-apps.md)
+## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
+
+# Navigating Windows Holographic
+## [Windows Mixed Reality home](holographic-home.md)
+## [Voice and Cortana](hololens-cortana.md)
+## [Find and save files](hololens-find-and-save-files.md)
+## [Create, share, and view photos and video](holographic-photos-and-video.md)
+
+# Accessories and connectivity
+## [Connect to Bluetooth and USB-C devices](hololens-connect-devices.md)
+## [Restart or recover the HoloLens (1st gen) clicker](hololens-clicker-restart-recover.md)
+## [Connect to a network](hololens-network.md)
+## [Use HoloLens offline](hololens-offline.md)
# Application Management
-## [Install apps on HoloLens](hololens-install-apps.md)
## [Share HoloLens with multiple people](hololens-multiple-users.md)
-## [Cortana on HoloLens](hololens-cortana.md)
## [Get apps for HoloLens](hololens-get-apps.md)
## [Use apps on HoloLens](hololens-use-apps.md)
## [Use HoloLens offline](hololens-offline.md)
## [Spaces on HoloLens](hololens-spaces-on-hololens.md)
+## [How HoloLens stores data for spaces](hololens-spaces.md)
+
+# Recovery and troubleshooting
+## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
+## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md)
# User/Access Management
## [Set up single application access](hololens-kiosk.md)
-## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
-## [How HoloLens stores data for spaces](hololens-spaces.md)
-## [Find and save files](hololens-find-and-save-files.md)
# [Insider preview for Microsoft HoloLens](hololens-insider.md)
# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
-
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index b886719944..a228d800c0 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -50,11 +50,6 @@ New or changed topic | Description
--- | ---
Insider preview for Microsoft HoloLens | New (topic retired on release of Windows 10, version 1809)
-## June 2018
-
-New or changed topic | Description
---- | ---
-[HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md#pin) | Added instructions for creating a sign-in PIN.
## May 2018
@@ -86,12 +81,6 @@ New or changed topic | Description
--- | ---
[Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | New
-## May 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Microsoft HoloLens in the enterprise: requirements](hololens-requirements.md) | Changed title to **Microsoft HoloLens in the enterprise: requirements and FAQ**, added questions and answers in new [FAQ section](hololens-requirements.md#faq-for-hololens) |
-
## January 2017
| New or changed topic | Description |
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index b19110b8f2..7cda17b22f 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -32,7 +32,8 @@
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
- "ms.author": "jdecker",
+ "audience": "ITPro",
+ "manager": "laurawi",
"ms.date": "04/05/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/devices/hololens/holographic-home.md b/devices/hololens/holographic-home.md
new file mode 100644
index 0000000000..576866ca2c
--- /dev/null
+++ b/devices/hololens/holographic-home.md
@@ -0,0 +1,90 @@
+---
+title: Navigate the Windows Mixed Reality home
+description: Navigate the Windows Mixed Reality home in Windows Holographic.
+ms.assetid: 742bc126-7996-4f3a-abb2-cf345dff730c
+ms.date: 08/07/2019
+keywords: hololens
+ms.prod: hololens
+ms.sitesec: library
+author: scooley
+ms.author: scooley
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Navigate the Windows Mixed Reality home
+
+## [Navigating MR Home](https://docs.microsoft.com/en-us/windows/mixed-reality/navigating-the-windows-mixed-reality-home)
+
+## Use the Start menu
+
+The **Start** menu on HoloLens is where you'll open apps and get to the HoloLens camera.
+
+Wherever you are in HoloLens, you can always open the **Start** menu by using the [bloom gesture](https://support.microsoft.com/help/12644/hololens-use-gestures) on HoloLens (1st gen) or tapping your wrist on HoloLens 2. Usually, you'll use it once to get to **Start**, but sometimes you might need to use it twice.
+
+> [!TIP]
+> When the **Start** menu is open, use the start gesture to hide it again.
+
+At the top of the **Start** menu, you'll see status indicators for Wi-Fi, battery, and volume, plus a clock. The tiles are your pinned apps. To talk to Cortana, select her tile, or just say "Hey Cortana" from anywhere on HoloLens. At the bottom you'll find the photo and video icons, which open the camera app.
+
+To see the rest of your apps, select **All apps**. To get back to **Start** from the **All apps** list, select **Pinned apps**.
+
+## Use apps on HoloLens
+
+Apps on HoloLens use either 2D view or holographic view. Apps with 2D view look like windows, and apps with holographic view surround you and become the only app you see.
+
+### Open apps
+
+You'll find your apps either pinned to **Start** or in the **All apps** list. To get to the **All apps** list, use the bloom gesture to go to **Start**, then select **All apps**.
+
+On **Start** or in the **All apps** list, select an app. It will open in a good position for viewing.
+
+>[!NOTE]
+>- Up to three 2D app windows can be active at a time. You can open more, but only three will remain active.
+>- Each open app can have one active window at a time, except Microsoft Edge, which can have up to three.
+>- If you're having problems with apps, make sure there's enough light in your space, and walk around so HoloLens has a current scan. If you keep having trouble, see [HoloLens and holograms: FAQ](https://support.microsoft.com/help/13456/hololens-and-holograms-faq) for more info.
+
+## Move, resize, and rotate apps
+
+Moving and resizing apps on HoloLens works a bit differently than it does on a PC. Instead of dragging the app, you'll use your gaze, along with a [gesture](https://support.microsoft.com/help/12644/hololens-use-gestures) or the [clicker](hololens-clicker.md). You can also rotate an app window in 3D space.
+
+> [!TIP]
+> Rearrange apps using your voice—gaze at an app and say "Face me," "Bigger," or "Smaller." Or have Cortana move an app for you: say "Hey Cortana, move <*app name*> here."
+
+### Move an app
+
+Gaze at the app, and then do one of the following.
+
+- Tap and hold to select the app. Move your hand to position the app, and raise your finger to place it.
+
+- Select **Adjust**, tap and hold, and move your hand to position the app. Raise your finger to place it, then select **Done**.
+- Select **Adjust**, click and hold the clicker, and move your hand to position the app. Release the clicker, then select **Done**.
+
+> [!TIP]
+> If you drop apps when you move them, make sure to keep your hand in the gesture frame by following it with your gaze.
+
+### Resize an app
+
+Gaze at the app, and then do one of the following.
+
+- Gaze at a corner or edge of an app window, and tap and hold. Move your hand to change the app's size, and raise your finger when you're done.
+
+- Select **Adjust**. Gaze at one of the blue squares at the corners of the app, tap and hold, then move your hand to resize the app. Raise your finger to release it, then select **Done**.
+- Select **Adjust**. Gaze at one of the blue squares at the corners of the app, click and hold the clicker, then move your hand to resize the app. Release the clicker, then select **Done**.
+
+> [!TIP]
+> In Adjust mode, you can move or resize any hologram.
+
+### Rotate an app
+
+Gaze at the app, and tap and hold with both hands to select it. Rotate the app by keeping one hand steady and moving your other hand around it. When you're done, raise both index fingers.
+
+## Close apps
+
+To close an app that uses 2D view, gaze at it, then select **Close**.
+
+To close an app that uses holographic view, use the bloom gesture to leave holographic view, then select **Close**.
+
+## Pin apps
+
+Keep your favorite apps handy by pinning them to **Start**. In the **All apps** list, gaze at an app to highlight it. Tap and hold until the menu appears, then select **Pin**. To unpin an app, gaze at the app on **Start**, then tap and hold and select **Unpin**.
diff --git a/devices/hololens/holographic-photos-and-video.md b/devices/hololens/holographic-photos-and-video.md
new file mode 100644
index 0000000000..25e8d4a104
--- /dev/null
+++ b/devices/hololens/holographic-photos-and-video.md
@@ -0,0 +1,42 @@
+---
+title: Create, share, and view photos and video
+description: Create, share, and view photos and video
+ms.assetid: 1b636ec3-6186-4fbb-81b2-71155aef0593
+keywords: hololens
+ms.prod: hololens
+ms.sitesec: library
+author: Teresa-Motiv
+ms.author: v-tea
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 8/12/19
+ms.reviewer:
+manager: jarrettr
+appliesto:
+- Hololens (1st gen)
+---
+
+# Create, share, and view photos and video
+
+Use your HoloLens to take photos and videos that capture the holograms you've placed in your world.
+
+To sync your photos and videos to OneDrive, open the OneDrive app and select **Settings** > **Camera upload**, and then turn on **Camera upload**.
+
+## Take a photo
+
+Use the [bloom](https://support.microsoft.com/help/12644/hololens-use-gestures) gesture to go to **Start**, then select **Photo**. Use gaze to position the photo frame, then air tap to take the picture. The picture will be saved to your collection in the Photos app.
Deploy
-
(via compute module) | Video-in
Video-out
Audio-in
Audio-out
TouchBack and InkBack | Provides video, audio, and TouchBack/InkBack on a single cable.
**NOTE:** Some configuration is required to optimize the video-out experience. Refer to the section below: [Mirroring Surface Hub 2S display on another device](#). |
| HDMI + USB-C | HDMI-in for audio and video
USB-C for TouchBack and InkBack | USB-C supports TouchBack and InkBack with the HDMI A/V connection.
Use USB-C to USB-A to connect to legacy computers.
**NOTE:** For best results, connect HDMI before connecting a USB-C cable. If the computer you're using for HDMI is not compatible with TouchBack and InkBack, you won't need a USB-C cable. |
| USB-C
(via compute module) | Video-in
Audio-in | Single cable needed for A/V
TouchBack and InkBack not supported
HDCP enabled |
| HDMI (in port) | Video, Audio into Surface Hub 2S | Single cable needed for A/V
TouchBack and InkBack not supported
HDCP enabled |
@@ -68,7 +67,7 @@ You can input video to Surface Hub 2S using USB-C or HDMI, as indicated in the f
## Mirroring Surface Hub 2S display on another device
-You can output video to another display using either USB-C or MiniDP, as indicated in the following table.
+You can output video to another display using MiniDP, as indicated in the following table.
### Surface Hub 2S video-out settings
diff --git a/devices/surface-hub/surface-hub-2s-phone-authenticate.md b/devices/surface-hub/surface-hub-2s-phone-authenticate.md
index ae82ccdf36..53b8395f63 100644
--- a/devices/surface-hub/surface-hub-2s-phone-authenticate.md
+++ b/devices/surface-hub/surface-hub-2s-phone-authenticate.md
@@ -22,7 +22,7 @@ Password-less phone sign-in simplifies signing-in to your meetings and files on
## To set up password-less phone sign-in
-1. Download the [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator) app for iPhone or Android to your phone.
+1. Download the [Microsoft Authenticator](https://www.microsoft.com/account/authenticator) app for iPhone or Android to your phone.
2. From your PC, go to [https://aka.ms/MFASetup](https://aka.ms/MFASetup) , sign in with your account, and select **Next.**
3. In the Additional security verification screen, select Mobile App and Use verification code, and then select **Setup**.
diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md
index 7df7a694dc..76e5ac1055 100644
--- a/devices/surface-hub/surface-hub-2s-setup.md
+++ b/devices/surface-hub/surface-hub-2s-setup.md
@@ -97,4 +97,4 @@ If you insert a USB thumb drive with a provisioning package into one of the USB
- 4. Follow the instructions to complete first time Setup.
+4. Follow the instructions to complete first time Setup.
diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
index 2ffa84dd12..9ad0606641 100644
--- a/devices/surface-hub/surface-hub-authenticator-app.md
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -3,8 +3,8 @@ title: Sign in to Surface Hub with Microsoft Authenticator
description: Use Microsoft Authenticator on your mobile device to sign in to Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 08/28/2017
ms.reviewer:
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 8f92a6b3a0..5e5073588a 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -3,8 +3,8 @@ title: Useful downloads for Microsoft Surface Hub
description: Downloads related to the Microsoft Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 08/22/2017
ms.reviewer:
diff --git a/devices/surface-hub/surface-hub-qos.md b/devices/surface-hub/surface-hub-qos.md
index 589cfcfcdf..105a188ae1 100644
--- a/devices/surface-hub/surface-hub-qos.md
+++ b/devices/surface-hub/surface-hub-qos.md
@@ -1,12 +1,12 @@
---
-title: Implement Quality of Service on Surface Hub
+title: Implement Quality of Service on Surface Hub
ms.reviewer:
manager: dansimp
description: Learn how to configure QoS on Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md
index f1f6a52a05..7d21b8c921 100644
--- a/devices/surface-hub/surface-hub-recovery-tool.md
+++ b/devices/surface-hub/surface-hub-recovery-tool.md
@@ -7,8 +7,8 @@ manager: dansimp
keywords: manage Surface Hub
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 05/22/2018
ms.localizationpriority: medium
diff --git a/devices/surface-hub/surface-hub-site-readiness-guide.md b/devices/surface-hub/surface-hub-site-readiness-guide.md
index 44e8717278..cf21867432 100644
--- a/devices/surface-hub/surface-hub-site-readiness-guide.md
+++ b/devices/surface-hub/surface-hub-site-readiness-guide.md
@@ -1,12 +1,12 @@
---
-title: Surface Hub Site Readiness Guide
+title: Surface Hub Site Readiness Guide
ms.reviewer:
manager: dansimp
-description: Use this Site Readiness Guide to help plan your Surface Hub installation.
+description: Use this Site Readiness Guide to help plan your Surface Hub installation.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-ssd-replacement.md b/devices/surface-hub/surface-hub-ssd-replacement.md
index 363f1e6e81..7896a7d634 100644
--- a/devices/surface-hub/surface-hub-ssd-replacement.md
+++ b/devices/surface-hub/surface-hub-ssd-replacement.md
@@ -5,8 +5,8 @@ manager: dansimp
description: Learn how to replace the solid state drive in a Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md
index 9ddfa628e6..9c1f451f63 100644
--- a/devices/surface-hub/surface-hub-start-menu.md
+++ b/devices/surface-hub/surface-hub-start-menu.md
@@ -3,12 +3,12 @@ title: Configure Surface Hub Start menu
description: Use MDM to customize the Start menu on Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: robmazz
+ms.author: robmazz
ms.topic: article
-ms.date: 01/17/2018
+ms.date: 08/15/2018
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
@@ -107,7 +107,7 @@ There are a few key differences between Start menu customization for Surface Hub
## Example: Start layout that includes a Microsoft Edge link
-This example shows a link to a website and a link to a .pdf file.
+This example shows a link to a website and a link to a .pdf file. The secondary tile for Microsoft Edge uses a 150 x 150 pixel icon.
```xml
August 17, 2019—update for Team edition based on KB4512474* (OS Build 15063.2021)
+
+This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
+
+ * Ensures that Video Out on Hub 2S defaults to "Duplicate" mode.
+
+Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
+*[KB4503289](https://support.microsoft.com/help/4503289)
+ June 18, 2019—update for Team edition based on KB4503289* (OS Build 15063.1897)
+
+This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
+
+* Addresses an issue with log collection for Microsoft Surface Hub 2S.
+* Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully.
+* Adds support for TLS 1.2 connections to identity providers and Exchange in device account setup scenarios.
+* Fixes to improve reliability of Hardware Diagnostic App on Hub 2S.
+* Fix to improve consistency of first-run setup experience on Hub 2S.
+
+Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
+*[KB4503289](https://support.microsoft.com/help/4503289)
+May 28, 2019—update for Team edition based on KB4499162* (OS Build 15063.1835)
@@ -484,4 +508,4 @@ This update to the Surface Hub includes quality improvements and security fixes.
* [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq)
* [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327)
* [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968)
-* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447)
\ No newline at end of file
+* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447)
diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md
index 5d8fad351d..5120dc9b9c 100644
--- a/devices/surface-hub/surface-hub-wifi-direct.md
+++ b/devices/surface-hub/surface-hub-wifi-direct.md
@@ -4,8 +4,8 @@ description: This topic provides guidance on Wi-Fi Direct security risks.
keywords: change history
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 06/20/2019
ms.reviewer:
diff --git a/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md b/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
index 12678d2a9c..7a30ff1e37 100644
--- a/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
+++ b/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md
@@ -2,8 +2,6 @@
title: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel
description: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel
ms.assetid: 8af3a832-0537-403b-823b-12eaa7a1af1f
-ms.reviewer:
-manager:
keywords:
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index 1f9447ff87..0626c4a0d7 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -1,10 +1,10 @@
---
-title: What's new in Windows 10, version 1703 for Surface Hub
+title: What's new in Windows 10, version 1703 for Surface Hub
description: Windows 10, version 1703 (Creators Update) brings new features to Microsoft Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 01/18/2018
ms.reviewer:
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index c67203853d..af6809a477 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -7,8 +7,8 @@ manager: dansimp
keywords: Troubleshoot common problems, setup issues, Exchange ActiveSync errors
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 03/16/2018
ms.localizationpriority: medium
diff --git a/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md b/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
index 2cb3ab2414..d03cfe3055 100644
--- a/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
+++ b/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md
@@ -2,8 +2,6 @@
title: How to use cloud recovery for BitLocker on a Surface Hub
description: How to use cloud recovery for BitLocker on a Surface Hub
ms.assetid: c0bde23a-49de-40f3-a675-701e3576d44d
-ms.reviewer:
-manager:
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 57f4f3faa0..33233a023b 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -2,8 +2,8 @@
title: Use fully qualified domain name with Surface Hub
description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"]
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index e18ca0fcd5..cbc437e783 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -7,8 +7,8 @@ manager: dansimp
keywords: room control system, Surface Hub
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.localizationpriority: medium
diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
index eedbfe9ae5..40a5768d27 100644
--- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
+++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
@@ -2,8 +2,6 @@
title: Using the Surface Hub Hardware Diagnostic Tool to test a device account
description: Using the Surface Hub Hardware Diagnostic Tool to test a device account
ms.assetid: a87b7d41-d0a7-4acc-bfa6-b9070f99bc9c
-ms.reviewer:
-manager:
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md
index 2c8a3793a6..a6e9524cd2 100644
--- a/devices/surface-hub/whiteboard-collaboration.md
+++ b/devices/surface-hub/whiteboard-collaboration.md
@@ -1,10 +1,10 @@
---
-title: Set up and use Microsoft Whiteboard
+title: Set up and use Microsoft Whiteboard
description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board.
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 03/18/2019
ms.reviewer:
@@ -12,60 +12,59 @@ manager: dansimp
ms.localizationpriority: medium
---
-# Set up and use Microsoft Whiteboard
+# Set up and use Microsoft Whiteboard
+The Microsoft Whiteboard app includes the capability for Surface Hubs and other devices to collaborate in real time on the same board.
+## Prerequisites
->[!IMPORTANT]
->A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen has been renamed **Microsoft Whiteboard 2016**. Microsoft Whiteboard 2016 will be automatically upgraded by May 21, 2019, and the collaboration service for the legacy app will stop functioning after June 7, 2019. For more details, see [Enable Microsoft Whiteboard on Surface Hub](https://support.office.com/article/enable-microsoft-whiteboard-on-surface-hub-b5df4539-f735-42ff-b22a-0f5e21be7627?ui=en-US&rs=en-US&ad=US).
+To use whiteboard collaboration complete the following actions:
-The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board.
+- Add Whiteboard.ms, whiteboard.microsoft.com, and wbd.ms to your list of allowed sites.
+- Open port: **HTTPS: 443** (normally configured when you first run Surface Hub.)
-By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together.
+## Office 365 requirements
-
+- Whiteboard collaboration is only supported in the Office 365 commercial environment and requires Office 365 with cloud-based Azure Active Directory (Azure AD).
+- You can only run collaborative sessions among users belonging to the same Office 365 tenant.
+- Office 365 Germany or Office 365 operated by 21Vianet do not support whiteboard collaboration.
-## Prerequisites for Whiteboard to Whiteboard collaboration (Microsoft Whiteboard 2016)
-
-To get Whiteboard to Whiteboard collaboration up and running, you’ll need to make sure your organization meets the following requirements:
-
-- Office 365 with cloud-based Azure Active Directory (Azure AD) for all users
-- OneDrive for Business deployed for all users who intend to collaborate
-- Currently not utilizing Office 365 Germany or Office 365 operated by 21Vianet
-- Surface Hub needs to be updated to Windows 10, version 1607 or newer
-- Port 443 needs to be open since Whiteboard makes standard https requests
-- Whiteboard.ms, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies
-
-
->[!NOTE]
->Collaborative sessions can only take place between users within the same tenant, so users outside of your organization won’t be able to join even if they have a Surface Hub.
-
-## Using Whiteboard to Whiteboard collaboration (Microsoft Whiteboard 2016)
+## Collaborating with whiteboards
To start a collaboration session:
1. In the Whiteboard app, tap the **Sign in** button.
2. Sign in with your organization ID.
3. Tap the **Invite** button next to your name at the top of the app.
-4. Tap **Start session**. Whiteboard will generate a link that you can share.
+4. Write or type the names of the colleagues you wish to collaborate with.
- 
-
-5. Copy and paste this link into a Skype chat with another Surface Hub
+On the other device, such as a Surface Hub, when you are signed in, the shared board will now appear in the board gallery.
-When the other Surface Hub receives the link, the recipient can tap on the link, sign in to Whiteboard, and then begin collaborating. You can copy and paste other content, use smart ink features like Ink to Shape, and co-author together.
-
-After you’re done, you can export a copy of the Whiteboard collaboration for yourself through the Share charm and leave the board for others to continue working.
-
->[!TIP]
->When you start a collaboration session, Whiteboard creates a folder named **Whiteboard App Data** in your OneDrive for Business to store your shared whiteboards. After some collaboration sessions, this folder may continue to sync or process changes indefinitely. You can fix this by choosing to not sync the **Whiteboard App Data** folder to your device. Disabling sync for this folder won't limit your ability to use Whiteboard for collaboration sessions.
+### User tips
+- Log in to access your whiteboards. As you work, changes are saved automatically.
+- Name your whiteboards to help organize your content and find it quickly. Select the … to open the menu. Select the **Options** gear icon to access more tools and features of the Whiteboard.
+- Use **Ink to shape** to turn drawing into actual shapes like circles, squares, and triangles.
+- Use **Ink to table** to turn a drawn grid into a table with rows and columns.
+- You can also change the background color and design from solid to grid or dots. Pick the background, then choose the color from the wheel around it.
+- You can export a copy of the Whiteboard collaboration for yourself through the Share charm and leave the board for others to continue working.
+> [!NOTE]
+> If you are using Whiteboard and cannot sign in, you can collaborate by joining a Teams or Skype for Business meeting, and then sharing your screen. After you’re done, tap **Settings** > **Export to email** or save a copy of the board. The SVG export provides higher resolution than PNG and can be opened in a web browser.
+## New features in Whiteboard
+The Microsoft Whiteboard app, updated for Surface Hub on July 1, 2019 includes a host of new features including:
+- **Automatic Saving** - Boards are saved to the cloud automatically when you sign in, and can be found in the board gallery.
+- **Extended collaboration across devices** - You can collaborate using new apps for Windows 10 PC and iOS, and a web version for other devices.
+- **Richer canvas** - In addition to ink and images, Whiteboard now includes sticky notes, text and GIFs, with more objects coming soon.
+- **Intelligence** – In addition to ink to shape and table, Whiteboard now includes ink beautification to improve handwriting and ink grab to convert images to ink.
+- **More color and background options** - Whiteboard now includes more pen colors and thickness options along with additional background colors and designs.
+- **Teams Integration** – You can automatically launch Whiteboard from a Teams meeting and share with participants (currently in preview).
## Related topics
- [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub)
-- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)
+
+- [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01)
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index 5e17e464a9..0a314fe596 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -7,8 +7,8 @@ manager: dansimp
keywords: network connectivity, wired connection
ms.prod: surface-hub
ms.sitesec: library
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.localizationpriority: medium
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 15a51ed349..665c1bd9c4 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,6 +1,6 @@
# [Surface](index.md)
-## Get started
+## [Get started](get-started.md)
## Overview
### [Surface Pro Tech specs](https://www.microsoft.com/surface/devices/surface-pro/tech-specs)
@@ -30,15 +30,16 @@
### [Surface System SKU reference](surface-system-sku-reference.md)
## Manage
+### [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md)
### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
### [Battery Limit setting](battery-limit.md)
### [Surface Brightness Control](microsoft-surface-brightness-control.md)
### [Surface Asset Tag](assettag.md)
### [Surface firmware and driver updates](update.md)
-### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+### [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
-### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
+
## Secure
### [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
@@ -46,12 +47,14 @@
### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
-
-## Support
-### [Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md)
-### [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
-### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
-### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
+### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
### [Surface Data Eraser](microsoft-surface-data-eraser.md)
+
+## Troubleshoot
### [Top support solutions for Surface devices](support-solutions-surface.md)
+### [Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md)
+#### [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md)
+#### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
+#### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
+
### [Change history for Surface documentation](change-history-for-surface.md)
diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md
index 60ff9078bd..7ccc8ed708 100644
--- a/devices/surface/assettag.md
+++ b/devices/surface/assettag.md
@@ -20,16 +20,16 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices.
## System requirements
- - Surface Pro 3 or later
+- Surface Pro 3 or later
- - UEFI firmware version 3.9.150.0 or later
+- UEFI firmware version 3.9.150.0 or later
## Using Surface Asset Tag
To run Surface Asset Tag:
1. On the Surface device, download **Surface Asset Tag.zip** from the [Microsoft Download
- Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703),
+ Center](https://www.microsoft.com/download/details.aspx?id=46703),
extract the zip file, and save AssetTag.exe in desired folder (in
this example, C:\\assets).
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 14eea5c91d..ea290fea58 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -15,6 +15,14 @@ ms.topic: article
This topic lists new and updated topics in the Surface documentation library.
+## August 2019
+
+| **New or changed topic** | **Description** |
+| ------------------------ | --------------- |
+| [Optimizing wireless connectivity for Surface devices](surface-wireless-connect.md) | New document highlights key wireless connectivity considerations for Surface devices in mobile scenarios. |
+| [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Updated to reflect minor changes in the file naming convention for Surface MSI files. |
+
+
## July 2019
| **New or changed topic** | **Description** |
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index 76e1c293cc..94094f2b60 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -1,5 +1,5 @@
---
-title: Download the latest firmware and drivers for Surface devices (Surface)
+title: Deploy the latest firmware and drivers for Surface devices (Surface)
description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
ms.reviewer:
@@ -11,27 +11,43 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: dansimp
-ms.date: 11/15/2018
+ms.date: 08/13/2019
ms.author: dansimp
ms.topic: article
---
-# Deploying the latest firmware and drivers for Surface devices
+# Deploy the latest firmware and drivers for Surface devices
Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment.
-## Downloading MSI files
+## Download MSI files
To download MSI files, refer to the following Microsoft Support page:
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
## Deploying MSI files
-Driver and firmware updates for Surface devices containing all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
-In the name of each of these files you will find a Windows build number, this number indicates the minimum supported build required to install the drivers and firmware contained within. Refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) for a list of the build numbers for each version. For example, to install the drivers contained in SurfacePro6_Win10_16299_1900307_0.msi file you must have Windows 10 Fall Creators Update version 1709, or newer installed on your Surface Pro 6.
+Driver and firmware updates for Surface devices consisting of all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
+The MSI file names contain useful information including the minimum supported Windows build number required to install the drivers and firmware. For example, to install the drivers contained in SurfaceBook_Win10_17763_19.080.2031.0.msi requires Windows 10 Fall Creators Update version 1709 or later installed on your Surface Book.
+
+To view build numbers for each version, refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
### Surface MSI naming convention
-Each .MSI file is named in accordance with a formula that begins with the product and Windows release information, followed by the Windows build number and version number, and ending with the revision of version number. SurfacePro6_Win10_16299_1900307_0.msi is classified as follows:
+Beginning in August 2019, MSI files use the following naming formula:
+
+- Product > Windows release > Windows build number > Version number > Revision of version number (typically zero).
+
+**Example:**
+SurfacePro6_Win10_18362_19.073.44195_0.msi :
+
+| Product | Windows release | Build | Version | Revision of version |
+| --- | --- | --- | --- | --- |
+| SurfacePro6 | Win10 | 18362 | 19.073.44195 | 0 |
+| | | | Indicates key date and sequence information. | Indicates release history of the update. |
+| | | | **19:** Signifies the year (2019).
**073**: Signifies the month (July) and week of the release (3).
**44195**: Signifies the minute of the month that the MSI file was created. |**0:** Signifies it's the first release of version 1907344195 and has not been re-released for any reason. |
+
+### Legacy Surface MSI naming convention
+Legacy MSI files prior to August 2019 followed the same overall naming formula but used a different method to derive the version number.
**Example:**
SurfacePro6_Win10_16299_1900307_0.msi :
@@ -39,8 +55,8 @@ SurfacePro6_Win10_16299_1900307_0.msi :
| Product | Windows release | Build | Version | Revision of version |
| --- | --- | --- | --- | --- |
| SurfacePro6 | Win10 | 16299 | 1900307 | 0 |
-| | | | Indicates key date and sequence information | Indicates release history of the MSI file |
-| | | | **19:** Signifies the year (2019)
**003**: Signifies that it’s the third release of 2019
**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
+| | | | Indicates key date and sequence information. | Indicates release history of the MSI file. |
+| | | | **19:** Signifies the year (2019)
**003**: Signifies that it’s the third release of 2019.
**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
Look to the **version** number to determine the latest files that contain the most recent security updates. For example, you might need to install the newest file from the following list:
@@ -52,22 +68,13 @@ Look to the **version** number to determine the latest files that contain the mo
The first file — SurfacePro6_Win10_16299_1900307_0.msi — is the newest because its VERSION field has the newest build in 2019; the other files are from 2018.
## Supported devices
-Downloadable MSI files are available for Surface devices from Surface Pro 2 and later.
+Downloadable MSI files are available for Surface devices from Surface Pro 2 and later.
-
-[!NOTE]
-There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
+>[!NOTE]
+>There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
For more information about deploying Surface drivers and firmware, refer to:
-- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates).
-
-- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business).
-
-
-
-
-
-
-
+- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
+- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business)
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index ea5592fb85..258912cc3d 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -55,7 +55,7 @@ Before you can perform a deployment with MDT, you must first supply a set of ope
>[!NOTE]
->The installation media generated from the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
+>The installation media generated from the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
#### Windows Server
@@ -64,7 +64,7 @@ Although MDT can be installed on a Windows client, to take full advantage of Win
>[!NOTE]
->To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter).
+>To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter).
#### Windows Deployment Services
@@ -82,7 +82,7 @@ Because customizations are performed by MDT at the time of deployment, the goal
>[!NOTE]
->Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
+>Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
#### Surface firmware and drivers
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index 75607e9f4d..026be430c1 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -25,7 +25,9 @@
"breadcrumb_path": "/surface/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
+ "manager": "laurawi",
"ms.date": "05/09/2017",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/devices/surface/images/wifi-band.png b/devices/surface/images/wifi-band.png
new file mode 100644
index 0000000000..38681a9dc8
Binary files /dev/null and b/devices/surface/images/wifi-band.png differ
diff --git a/devices/surface/images/wifi-roaming.png b/devices/surface/images/wifi-roaming.png
new file mode 100644
index 0000000000..eb539c9bd6
Binary files /dev/null and b/devices/surface/images/wifi-roaming.png differ
diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md
index d7e5bdc7d7..225135d993 100644
--- a/devices/surface/ltsb-for-surface.md
+++ b/devices/surface/ltsb-for-surface.md
@@ -1,5 +1,5 @@
---
-title: Long-Term Servicing Branch for Surface devices (Surface)
+title: Long-Term Servicing Channel for Surface devices (Surface)
description: LTSB is not supported for general-purpose Surface devices and should be used for specialized devices only.
ms.prod: w10
ms.mktglfcycl: manage
@@ -8,26 +8,25 @@ ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
-ms.date: 04/25/2017
ms.reviewer:
manager: dansimp
---
-# Long-Term Servicing Branch (LTSB) for Surface devices
+# Long-Term Servicing Channel (LTSC) for Surface devices
>[!WARNING]
>For updated information on this topic, see [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md). For additional information on this update, see the [Documentation Updates for Surface and Windows 10 LTSB Compatibility](https://blogs.technet.microsoft.com/surface/2017/04/11/documentation-updates-for-surface-and-windows-10-ltsb-compatibility) post on the Surface Blog for IT Pros.
-General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB).
+General-purpose Surface devices in the Long-Term Servicing Channel (LTSC) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSC and should instead be on the Semi-Annual Channel.
>[!NOTE]
>For more information about the servicing branches, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
-LTSB prevents Surface devices from receiving critical Windows 10 feature updates and certain non-security servicing updates. Customers with poor experiences using Surface devices in the LTSB configuration will be instructed to upgrade to CB or CBB. Furthermore, the Windows 10 Enterprise LTSB edition removes core features of Surface devices, including seamless inking and touch-friendly applications. It does not contain key in-box applications including Microsoft Edge, OneNote, Calendar or Camera. Therefore, productivity is impacted and functionality is limited. LTSB is not supported as a suitable servicing solution for general-purpose Surface devices.
+LTSC prevents Surface devices from receiving critical Windows 10 feature updates and certain non-security servicing updates. Customers with poor experiences using Surface devices in the LTSC configuration will be instructed to switch to the Semi-Annual Channel. Furthermore, the Windows 10 Enterprise LTSB edition removes core features of Surface devices, including seamless inking and touch-friendly applications. It does not contain key in-box applications including Microsoft Edge, OneNote, Calendar or Camera. Therefore, productivity is impacted and functionality is limited. LTSC is not supported as a suitable servicing solution for general-purpose Surface devices.
-General-purpose Surface devices are intended to run CB or CBB to receive full servicing and firmware updates and forward compatibility with the introduction of new Surface features. With CB, feature updates are available as soon as Microsoft releases them. Customers in the CBB servicing model receive the same build of Windows 10 as those in CB, at a later date.
+General-purpose Surface devices are intended to run on the Semi-Annual Channel to receive full servicing and firmware updates and forward compatibility with the introduction of new Surface features. In the Semi-Annual Channel, feature updates are available as soon as Microsoft releases them.
-Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–may consider the use of LTSB. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization.
+Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–might consider the use of LTSC. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization.
diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
index 6dcd9db277..ede174d674 100644
--- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
+++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
@@ -9,6 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.reviewer:
manager: dansimp
+ms.date: 08/21/2019
---
# Best practice power settings for Surface devices
@@ -25,10 +26,14 @@ low power idle state (S0ix).
To ensure Surface devices across your organization fully benefit from Surface power optimization features:
-- Exclude Surface devices from any existing power management policy settings and let the Surface default policy control the power policy and behavior of the device.
-- If you must manage the power profile of devices across your network (such as in highly managed organizations), use the powercfg command tool to export the power profile from the factory image of the Surface device and then import it into the provisioning package for your Surface devices. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
-- Always use the newest available version of the drivers and firmware for your devices and for the version of Windows 10 they're running. For more information, refer to [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
-- Avoid creating custom power profiles or adjusting advanced power settings not visible in the default UI (**System** > **Power & sleep**). For more information, refer to User best practices for extended battery life in this document.
+- Install the latest drivers and firmware from Windows Update or the Surface Driver and Firmware MSI. This creates the balanced power plan (aka power profile) by default and configures optimal power settings. For more information, refer to [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+- Avoid creating custom power profiles or adjusting advanced power settings not visible in the default UI (**System** > **Power & sleep**).
+- If you must manage the power profile of devices across your network (such as in highly managed organizations), use the powercfg command tool to export the power plan from the factory image of the Surface device and then import it into the provisioning package for your Surface devices.
+
+>[!NOTE]
+>You can only export a power plan across the same type of Surface device. For example, you cannot export a power plan from Surface Laptop and import it on Surface Pro. For more information, refer to [Configure power settings](https://docs.microsoft.com/windows-hardware/customize/power-settings/configure-power-settings).
+
+- Exclude Surface devices from any existing power management policy settings.
## Background
@@ -59,14 +64,14 @@ instant on/instant off functionality typical of smartphones. S0ix, also
known as Deepest Runtime Idle Platform State (DRIPS), is the default
power mode for Surface devices. Modern standby has two modes:
- - **Connected standby.** The default mode for up-to-the minute
- delivery of emails, messaging, and cloud-synced data, connected
- standby keeps Wi-Fi on and maintains network connectivity.
+- **Connected standby.** The default mode for up-to-the minute
+ delivery of emails, messaging, and cloud-synced data, connected
+ standby keeps Wi-Fi on and maintains network connectivity.
- - **Disconnected standby.** An optional mode for extended battery
- life, disconnected standby delivers the same instant-on experience
- and saves power by turning off Wi-Fi, Bluetooth, and related network
- connectivity.
+- **Disconnected standby.** An optional mode for extended battery
+ life, disconnected standby delivers the same instant-on experience
+ and saves power by turning off Wi-Fi, Bluetooth, and related network
+ connectivity.
To learn more about modern standby, refer to the [Microsoft Hardware Dev
Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources).
@@ -76,13 +81,13 @@ Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/mo
Surface integrates the following features designed to help users
optimize the power management experience:
- - [Singular power plan](#singular-power-plan)
+- [Singular power plan](#singular-power-plan)
- - [Simplified power settings user
- interface](#simplified-power-settings-user-interface)
+- [Simplified power settings user
+ interface](#simplified-power-settings-user-interface)
- - [Windows performance power
- slider](#windows-performance-power-slider)
+- [Windows performance power
+ slider](#windows-performance-power-slider)
### Singular power plan
@@ -171,4 +176,4 @@ To learn more, see:
- [Battery
saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver)
-- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
\ No newline at end of file
+- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md
index 0913c4266d..e37749103c 100644
--- a/devices/surface/manage-surface-pro-3-firmware-updates.md
+++ b/devices/surface/manage-surface-pro-3-firmware-updates.md
@@ -62,16 +62,3 @@ The individual driver files are also made available in the Microsoft Download Ce
**Windows PE and Surface firmware and drivers**
A best practice for deployment with any solution that uses the Windows Preinstallation Environment (WinPE), such as System Center Configuration Manager or MDT, is to configure WinPE with only the drivers that are required during the WinPE stage of deployment. These usually include drivers for network adapters and storage controllers. This best practice helps to prevent errors with more complex drivers that rely on components that are not present in WinPE. For Surface Pro 3 devices, this is especially true of the Touch Firmware. The Touch Firmware should never be loaded in a WinPE environment on Surface Pro 3.
-
-**Update Surface Pro 3 firmware offline through USB**
-
-In some early versions of Surface Pro 3 firmware, PXE boot performance can be quite slow. This has been resolved with updated firmware, but for organizations where firmware will be updated through operating system deployment, this issue is encountered before the updates can be deployed to the device. In this scenario, you can deploy updated firmware through a USB drive to ensure that when the operating system deployment is initiated, the network boot is quick, and deployment can complete in a timely fashion. To create a USB drive to update Surface Pro 3 firmware, see [How to Update the Surface Pro 3 Firmware Offline using a USB Drive](https://blogs.technet.microsoft.com/askpfeplat/2014/10/19/how-to-update-the-surface-pro-3-firmware-offline-using-a-usb-drive/) on the Ask Premier Field Engineering (PFE) Platforms TechNet Blog.
-
-
-
-
-
-
-
-
-
diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md
index 34ccb3aa18..41b2e3d994 100644
--- a/devices/surface/microsoft-surface-brightness-control.md
+++ b/devices/surface/microsoft-surface-brightness-control.md
@@ -25,16 +25,16 @@ designed to help reduce thermal load and lower the overall carbon
footprint for deployed Surface devices. The tool automatically dims the screen when not in use and
includes the following configuration options:
- - Period of inactivity before dimming the display.
+- Period of inactivity before dimming the display.
- - Brightness level when dimmed.
+- Brightness level when dimmed.
- - Maximum brightness level when in use.
+- Maximum brightness level when in use.
**To run Surface Brightness Control:**
- - Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control
- will begin working immediately.
+- Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control
+ will begin working immediately.
## Configuring Surface Brightness Control
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 3688553be3..a2d74d331c 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -68,7 +68,7 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include:
To create a Microsoft Surface Data Eraser USB stick, first install the Microsoft Surface Data Eraser setup tool from the Microsoft Download Center using the link provided at the beginning of this article. You do not need a Surface device to *create* the USB stick. After you have downloaded the installation file to your computer, follow these steps to install the Microsoft Surface Data Eraser creation tool:
-1. Run the DataEraserSetup.msi installation file that you downloaded from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703).
+1. Run the DataEraserSetup.msi installation file that you downloaded from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=46703).
2. Select the check box to accept the terms of the license agreement, and then click **Install**.
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 2d0b406711..956924345f 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -61,8 +61,8 @@ The following steps show you how to create a deployment share for Windows 10 tha
>[!NOTE]
>As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
> * Deployment tools
- > * User State Migration Tool (USMT)
- > * Windows Preinstallation Environment (WinPE)
+ > * User State Migration Tool (USMT)
+ > * Windows Preinstallation Environment (WinPE)
> [!NOTE]
> As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
@@ -75,11 +75,11 @@ The following steps show you how to create a deployment share for Windows 10 tha
- **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3.
- - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
+ - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
- **Windows 10 Deployment Services**
- - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
+ - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
- **Windows 10 Source Files**
@@ -100,25 +100,25 @@ The following steps show you how to create a deployment share for Windows 10 tha
7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
- - Download of Windows ADK
+ - Download of Windows ADK
- - Installation of Windows ADK
+ - Installation of Windows ADK
- - Download of MDT
+ - Download of MDT
- - Installation of MDT
+ - Installation of MDT
- - Download of Surface apps and drivers
+ - Download of Surface apps and drivers
- - Creation of the deployment share
+ - Creation of the deployment share
- - Import of Windows installation files into the deployment share
+ - Import of Windows installation files into the deployment share
- - Import of the apps and drivers into the deployment share
+ - Import of the apps and drivers into the deployment share
- - Creation of rules and task sequences for Windows deployment
+ - Creation of rules and task sequences for Windows deployment
- 
+ 
*Figure 5. The Installation Progress window*
diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md
index a6099038b0..5cc8e9de9d 100644
--- a/devices/surface/support-solutions-surface.md
+++ b/devices/surface/support-solutions-surface.md
@@ -25,7 +25,7 @@ These are the top Microsoft Support solutions for common issues experienced when
## Screen cracked or scratched issues
-- [Cracked screen and physical damage](https://www.microsoft.com/surface/support/warranty-service-and-recovery/surface-is-damaged)
+- [Contact Microsoft Support](https://support.microsoft.com/en-us/supportforbusiness/productselection)
## Device cover or keyboard issues
diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index 83613f4a36..293aeafe93 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -29,14 +29,13 @@ Before you run the diagnostic tool, make sure you have the latest Windows update
**To run the Surface Diagnostic Toolkit for Business:**
1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B).
-2. Select Run and follow the on-screen instructions.
-
-The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. For more detailed information on Surface Diagnostic Toolkit for Business, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
+2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).
+The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required.
# If you still need help
If the Surface Diagnostic Toolkit for Business didn’t fix the problem, you can also:
-- Make an in-store appointment: We might be able to fix the problem or provide a replacement Surface at your local Microsoft Store. [Locate a Microsoft Store near you](https://www.microsoft.com/en-us/store/locations/find-a-store?WT.mc_id=MSC_Solutions_en_us_scheduleappt).
+- Make an in-store appointment: We might be able to fix the problem or provide a replacement Surface at your local Microsoft Store. [Locate a Microsoft Store near you](https://www.microsoft.com/store/locations/find-a-store?WT.mc_id=MSC_Solutions_en_us_scheduleappt).
- Contact customer support: If you want to talk to someone about how to fix your problem, [contact us](https://support.microsoft.com/en-us/help/4037645/contact-surface-warranty-and-software-support-for-business).
- Get your Surface serviced: If your Surface product needs service, [request it online](https://mybusinessservice.surface.com/).
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index df65b6c73d..5944375042 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -226,7 +226,9 @@ create a reset package using PowerShell to reset SEMM.
## Version History
-
+### Version 2.54.139.0
+* Support to Surface Hub 2S
+* Bug fixes
### Version 2.43.136.0
* Support to enable/disable simulatenous multithreating
diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md
new file mode 100644
index 0000000000..fe1ff34fe6
--- /dev/null
+++ b/devices/surface/surface-wireless-connect.md
@@ -0,0 +1,84 @@
+---
+title: Optimizing wireless connectivity for Surface devices
+description: This topic provides guidance around recommended wireless connectivity settings for network admins and users.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: dansimp
+ms.localizationpriority: medium
+ms.author: dansimp
+ms.topic: article
+ms.date: 08/15/2019
+ms.reviewer:
+manager: dansimp
+---
+# Optimizing wireless connectivity for Surface devices
+
+## Introduction
+
+To stay connected with all-day battery life, Surface devices implement wireless connectivity settings that balance performance and power conservation. Outside of the most demanding mobility scenarios, users can maintain sufficient wireless connectivity without modifying default network adapter or related settings.
+
+In congested network environments, organizations can implement purpose-built wireless protocols across multiple network access points to facilitate roaming. This page highlights key wireless connectivity considerations in mobile scenarios utilizing Surface Pro 3 and later, Surface Book, Surface Laptop, and Surface Go.
+
+## Prerequisites
+
+This document assumes you have successfully deployed a wireless network that supports 802.11n (Wi-Fi 4) or later in accordance with best practice recommendations from leading equipment vendors.
+
+## Configuring access points for optimal roaming capabilities
+
+If you’re managing a wireless network that’s typically accessed by many different types of client devices, it’s recommended to enable specific protocols on access points (APs) in your WLAN, as described in [Fast Roaming with 802.11k, 802.11v, and 802.11r](https://docs.microsoft.com/en-us/windows-hardware/drivers/network/fast-roaming-with-802-11k--802-11v--and-802-11r). Surface devices can take advantage of the following wireless protocols:
+
+- **802.11r.** “**Fast BSS Transition”** accelerates connecting to new wireless access points by reducing the number of frames required before your device can access another AP as you move around with your device.
+- **802.11k.** **“Neighbor Reports”** provides devices with information on current conditions at neighboring access points. It can help your Surface device choose the best AP using criteria other than signal strength such as AP utilization.
+
+Surface Go devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs.
+
+## Managing user settings
+
+You can achieve optimal roaming capabilities through a well-designed network that supports 802.11r and 802.11k across all access points. Ensuring that your network is properly configured to provide users with the best wireless experience is the recommended approach versus attempting to manage user settings on individual devices. Moreover, in many corporate environments Surface device users won’t be able to access advanced network adapter settings without explicit permissions or local admin rights. In other lightly managed networks, users can benefit by knowing how specific settings can impact their ability to remain connected.
+
+### Recommended user settings and best practices
+
+In certain situations, modifying advanced network adapter settings built into Surface devices may facilitate a more reliable connection. Keep in mind however that an inability to connect to wireless resources is more often due to an access point issue, networking design flaw, or environmental site issue.
+
+> [!NOTE]
+> How you hold your Surface Pro or Surface Go can also affect signal strength. If you’re experiencing a loss of bandwidth, check that you’re not holding the top of the display, where the Wi-Fi radio receiver is located. Although holding the top of the display does not block wireless signals, it can trigger the device driver to initiate changes that reduce connectivity.
+
+### Keep default Auto setting for dual bandwidth capability
+On most Surface devices, you can configure client network adapter settings to only connect to wireless APs over 5 gigahertz (GHz), only connect over 2.4 GHz, or let the operating system choose the best option (default Auto setting).
+
+**To access network adapter settings go to:**
+
+- **Start** > **Control panel** > **Network and Sharing Center** > **your Wi-Fi adapter** > **Properties** > **Configure** > **Advanced**.
+
+
+
+Keep in mind that 2.4 GHz has some advantages over 5 GHz: It extends further and more easily penetrates through walls or other solid objects. Unless you have a clear use case that warrants connecting to 5 GHz, it’s recommended to leave the Band setting in the default state to avoid possible adverse consequences. For example:
+
+
+- Many hotspots found in hotels, coffee shops, and airports still only use 2.4 GHz, effectively blocking access to devices if Band is set to 5 GHz Only.
+- Since Miracast wireless display connections require the initial handshake to be completed over 2.4 GHz channels, devices won’t be able to connect at 5 GHz Only.
+
+> [!NOTE]
+> By default Surface devices will prefer connecting to 5 GHz if available. However, to preserve power in a low battery state, Surface will first look for a 2.4 GHz connection.
+
+You can also toggle the band setting as needed to suit your environment. For example, users living in high density apartment buildings with multiple Wi-Fi hotspots — amid the presence of consumer devices all broadcasting via 2.4 GHz — will likely benefit by setting their Surface device to connect on 5 GHz only and then revert to Auto when needed.
+
+### Roaming aggressiveness settings on Surface Go
+
+Front-line workers using Surface Go may wish to select a signal strength threshold that prompts the device to search for a new access point when signal strength drops (roaming aggressiveness). By default, Surface devices attempt to roam to a new access point if the signal strength drops below **Medium** (50 percent signal strength). Note that whenever you increase roaming aggressiveness, you accelerate battery power consumption.
+
+Leave the roaming aggressiveness setting in the default state unless you’re encountering connectivity issues in specific mobile scenarios such as conducting environmental site inspections while also maintaining voice and video connectivity during a conference meeting. If you don’t notice any improvement revert to the default **Medium** state.
+
+**To enable roaming aggressiveness on Surface Go:**
+
+1. Go to **Start > Control Panel** > **Network and Internet** > **Network and Sharing Center.**
+2. Under **Connections** select **Wi-Fi** and then select **Properties.**
+3. Select **Client for Microsoft Networks** and then select **Configure**
+4. Select **Advanced** > **Roaming Aggressiveness** and choose ****your preferred value from the drop-down menu.
+
+
+
+## Conclusion
+
+Surface devices are designed with default settings for optimal wireless connectivity balanced alongside the need to preserve battery life. The most effective way of enabling reliable connectivity for Surface devices is through a well-designed network that supports 802.11r and 802.11k. Users can adjust network adapter settings or roaming aggressiveness but should only do so in response to specific environmental factors and revert to default state if there’s no noticeable improvement.
diff --git a/devices/surface/surface.yml b/devices/surface/surface.yml
deleted file mode 100644
index 8287763c1e..0000000000
--- a/devices/surface/surface.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-### YamlMime:YamlDocument
-
-documentType: LandingData
-title: Surface devices
-metadata:
- document_id:
- title: Surface devices
- description: Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.
- keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
- ms.localizationpriority: medium
- author: lizap
- ms.author: elizapo
- manager: dougkim
- ms.topic: article
- ms.devlang: na
-
-sections:
-- items:
- - type: markdown
- text: "
- Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.
- "
-- title: Explore
-- items:
- - type: markdown
- text: "
- Evaluate the Surface device portfolio, review the tools and technologies for management of your Surface devices, and learn about Surface technologies and devices with engineering walkthroughs.
-
- "
-- title: Plan
-- items:
- - type: markdown
- text: "
- Explore essential concepts for the deployment of Windows 10 to Surface devices.
**Surface Pro**
Light enough to take anywhere. Powerful enough to use as a full desktop workstation.
See spec
**Surface Book**
Built for extreme performance. Lightning fast access to apps. Up to 16 hours of battery life.
See spec
**Surface Studio**
Professional-grade power and performance. Use it upright or draw on it like a drafting table.
See spec
-
- "
-- title: Deploy
-- items:
- - type: markdown
- text: "
- Download deployment tools and get step-by-step guidance on how to upgrade a Surface device or deploy a new image.
**Try Windows 10 Enterprise free for 90 days**
Try the latest features. Test your apps, hardware, and deployment strategies.
Get started
**Windows 10 upgrade paths**
Upgrade to Windows 10 from a previous version, or from one edition to another.
Explore paths
**Prepare for Windows 10 deployment**
Get familiar with current deployment options and best practices.
Review options
-
- "
-- title: Manage
-- items:
- - type: markdown
- text: "
- Learn how to more easily manage and secure Surface devices in your organization.
**Microsoft Deployment Toolkit (MDT)**
Automate Windows 10 deployment, and more easily manage security and configurations.
Download the toolkit
**System Center Configuration Manager**
Use in tandem with MDT to deploy Windows 10 and manage PCs and devices moving forward.
Download an eval
**Surface Deployment Accelerator**
Automate the creation and configuration of Windows images for Surface devices.
Download the accelerator
-
- "
-- title: Stay informed
-- items:
- - type: markdown
- text: "
- 
**Manage Surface firmware and driver updates**
Download the latest firmware and drivers for Surface devices.
Manage Surface Dock Updater.
Surface update history
**Discover Surface tools for IT**
Surface Diagnostic Toolkit
Surface Data Eraser
Surface Enterprise Management Mode
Surface Pro 3 Asset Tag CLI Utility
**Manage settings and devices**
Manage Windows corporate devices
Manage Surface UEFI Settings
Bitlocker PIN on Surface Pro 3 and other tablets
Enroll and configure Surface devices with SEMM
- "
diff --git a/devices/surface/update.md b/devices/surface/update.md
index 0a3a4b4a5d..d68bf71ed8 100644
--- a/devices/surface/update.md
+++ b/devices/surface/update.md
@@ -21,23 +21,7 @@ Find out how to download and manage the latest firmware and driver updates for y
| Topic | Description |
| --- | --- |
-|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
-| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
+| [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Find links to manually deploy firmware and drivers, outside of Windows Update. |
| [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|
-
-
-## Related topics
-
-[Surface TechCenter](https://technet.microsoft.com/windows/surface)
-
-[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
-
-
-
-
-
-
-
-
-
+|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index 72f123de7f..fc560e5345 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -14,7 +14,7 @@ ms.reviewer:
manager: dansimp
---
-# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
+# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
#### Applies to
* Surface Pro 3
@@ -52,7 +52,7 @@ You will also need to have available the following resources:
* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
>[!NOTE]
- >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
+ >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
* [Surface firmware and drivers](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
* Application installation files for any applications you want to install, such as the Surface app
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index af796bd2c4..0432c65257 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -44,7 +44,7 @@ Management of SEMM with Configuration Manager requires the installation of Micro
#### Download SEMM scripts for Configuration Manager
-After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://www.microsoft.com/en-us/download/details.aspx?id=46703) from the Download Center.
+After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://www.microsoft.com/download/details.aspx?id=46703) from the Download Center.
## Deploy Microsoft Surface UEFI Manager
@@ -103,39 +103,45 @@ The sample scripts include examples of how to set Surface UEFI settings and how
### Specify certificate and package names
-The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates the names for the SEMM configuration package and SEMM reset package. The certificate and package names are specified on lines 56 through 67 in the ConfigureSEMM.ps1 script:
+The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script:
```
56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
57 $packageRoot = "$WorkingDirPath\Config"
- 58
- 59 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot }
- 60 Copy-Item "$WorkingDirPath\FabrikamOwnerSigner.pfx" $packageRoot
- 61
- 62 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath "FabrikamOwnerSigner.pfx"
- 63 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamSignerProvisioningPackage.pkg"
- 64 $resetPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamUniversalResetPackage.pkg"
- 65
- 66 # If your PFX file requires a password then it can be set here, otherwise use a blank string.
- 67 $password = "1234"
+ 58 $certName = "FabrikamSEMMSample.pfx"
+ 59 $DllVersion = "2.26.136.0"
+ 60
+ 61 $certNameOnly = [System.IO.Path]::GetFileNameWithoutExtension($certName)
+ 62 $ProvisioningPackage = $certNameOnly + "ProvisioningPackage.pkg"
+ 63 $ResetPackage = $certNameOnly + "ResetPackage.pkg"
+ 64
+ 65 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot }
+ 66 Copy-Item "$WorkingDirPath\$certName" $packageRoot
+ 67
+ 68 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath $certName
+ 69 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath $ProvisioningPackage
+ 70 $resetPackageName = Join-Path -Path $packageRoot -ChildPath $ResetPackage
+ 71
+ 72 # If your PFX file requires a password then it can be set here, otherwise use a blank string.
+ 73 $password = "1234"
```
-Replace the **FabrikamOwnerSigner.pfx** value for the **$privateOwnerKey** variable with the name of your SEMM Certificate file on both lines 60 and 62. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
+Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
-Replace the **FabrikamSignerProvisioningPackage.pkg** and **FabrikamUniversalResetPackage.pkg** values on lines 63 and 64 to define the **$ownerPackageName** and **$resetPackageName** variables with your desired names for the SEMM configuration and reset packages. These packages will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
+Owner package and reset package will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
-On line 67, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
+On line 73, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
>[!Note]
->The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 144-149, to accomplish this:
+>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this:
```
-144 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
-145 # For convenience we get the thumbprint here and present to the user.
-146 $pw = ConvertTo-SecureString $password -AsPlainText -Force
-147 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
-148 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
-149 Write-Host "Thumbprint =" $certPrint.Thumbprint
+150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
+151 # For convenience we get the thumbprint here and present to the user.
+152 $pw = ConvertTo-SecureString $password -AsPlainText -Force
+153 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+154 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
+155 Write-Host "Thumbprint =" $certPrint.Thumbprint
```
Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process:
@@ -153,46 +159,47 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin
### Configure permissions
-The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 202 in the sample script with the comment **# Configure Permissions** and continues to line 238. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
+The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
```
-202 # Configure Permissions
-203 foreach ($uefiV2 IN $surfaceDevices.Values) {
-204 # Here we define which "identities" will be allowed to modify which settings
-205 # PermissionSignerOwner = The primary SEMM enterprise owner identity
-206 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
-207 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
-208 # Additional user identities created so that the signer owner
-209 # can delegate permission control for some settings.
-210 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
-211 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal)
-212
-213 # Make all permissions owner only by default
-214 foreach ($setting IN $uefiV2.Settings.Values) {
-215 $setting.ConfiguredPermissionFlags = $ownerOnly
-216 }
-217 # Allow the local user to change their own password
-218 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
-219
-220 # Allow the local user to change the state of the TPM
-221 $uefiV2.Settings["Trusted Platform Module (TPM)"].ConfiguredPermissionFlags = $ownerAndLocalUser
-222
-223 # Allow the local user to change the state of the Front and Rear cameras
-224 $uefiV2.SettingsById[302].ConfiguredPermissionFlags = $ownerAndLocalUser
-225 $uefiV2.SettingsById[304].ConfiguredPermissionFlags = $ownerAndLocalUser
-226
-227
-228 # Create a unique package name based on family and LSV.
-229 # We will choose a name that can be parsed by later scripts.
-230 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
-231 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
-232
-233 # Build and sign the Permission package then save it to a file.
-234 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv)
-235 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
-236 $permissionPackageStream.CopyTo($permissionPackage)
-237 $permissionPackage.Close()
-238 }
+210 # Configure Permissions
+211 foreach ($uefiV2 IN $surfaceDevices.Values) {
+212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
+213 Write-Host "Configuring permissions"
+214 Write-Host $Device.Model
+215 Write-Host "======================="
+216
+217 # Here we define which "identities" will be allowed to modify which settings
+218 # PermissionSignerOwner = The primary SEMM enterprise owner identity
+219 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
+220 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
+221 # Additional user identities created so that the signer owner
+222 # can delegate permission control for some settings.
+223 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
+224 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal)
+225
+226 # Make all permissions owner only by default
+227 foreach ($setting IN $uefiV2.Settings.Values) {
+228 $setting.ConfiguredPermissionFlags = $ownerOnly
+229 }
+230
+231 # Allow the local user to change their own password
+232 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
+233
+234 Write-Host ""
+235
+236 # Create a unique package name based on family and LSV.
+237 # We will choose a name that can be parsed by later scripts.
+238 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
+239 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
+240
+241 # Build and sign the Permission package then save it to a file.
+242 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv)
+243 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
+244 $permissionPackageStream.CopyTo($permissionPackage)
+245 $permissionPackage.Close()
+246 }
+247 }
```
Each **$uefiV2** variable identifies a Surface UEFI setting by setting name or ID, and then configures the permissions to one of the following values:
@@ -204,74 +211,174 @@ You can find information about the available settings names and IDs for Surface
### Configure settings
-The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 282 through line 312 in the sample script. The region appears as follows:
+The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows:
```
-282 # Configure Settings
-283 foreach ($uefiV2 IN $surfaceDevices.Values) {
-284 # In this demo, we will start by setting every setting to the default factory setting.
-285 # You may want to start by doing this in your scripts
-286 # so that every setting gets set to a known state.
-287 foreach ($setting IN $uefiV2.Settings.Values) {
-288 $setting.ConfiguredValue = $setting.DefaultValue
-289 }
-290
-291 # If you want to set something to a different value from the default,
-292 # here are examples of how to accomplish this.
-293 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = "Disabled"
-294
-295 # If you want to leave the setting unmodified, set it to $null
-296 # PowerShell has issues setting things to $null so ClearConfiguredValue()
-297 # is supplied to do this explicitly.
-298 # Here is an example of leaving the UEFI administrator password as-is,
-299 # even after we initially set it to factory default above.
-300 $uefiV2.SettingsById[501].ClearConfiguredValue()
-301
-302 # Create a unique package name based on family and LSV.
-303 # We will choose a name that can be parsed by later scripts.
-304 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
-305 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
-306
-307 # Build and sign the Settings package then save it to a file.
-308 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv)
-309 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
-310 $settingsPackageStream.CopyTo($settingsPackage)
-311 $settingsPackage.Close()
-312 }
+291 # Configure Settings
+292 foreach ($uefiV2 IN $surfaceDevices.Values) {
+293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
+294 Write-Host "Configuring settings"
+295 Write-Host $Device.Model
+296 Write-Host "===================="
+297
+298 # In this demo, we will start by setting every setting to the default factory setting.
+299 # You may want to start by doing this in your scripts
+300 # so that every setting gets set to a known state.
+301 foreach ($setting IN $uefiV2.Settings.Values) {
+302 $setting.ConfiguredValue = $setting.DefaultValue
+303 }
+304
+305 $EnabledValue = "Enabled"
+306 $DisabledValue = "Disabled"
+307
+308 # If you want to set something to a different value from the default,
+309 # here are examples of how to accomplish this.
+310 # This disables IPv6 PXE boot by name:
+311 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = $DisabledValue
+312
+313 # This disables IPv6 PXE Boot by ID:
+314 $uefiV2.SettingsById[400].ConfiguredValue = $DisabledValue
+315
+316 Write-Host ""
+317
+318 # If you want to leave the setting unmodified, set it to $null
+319 # PowerShell has issues setting things to $null so ClearConfiguredValue()
+320 # is supplied to do this explicitly.
+321 # Here is an example of leaving the UEFI administrator password as-is,
+322 # even after we initially set it to factory default above.
+323 $uefiV2.SettingsById[501].ClearConfiguredValue()
+324
+325 # Create a unique package name based on family and LSV.
+326 # We will choose a name that can be parsed by later scripts.
+327 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
+328 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
+329
+330 # Build and sign the Settings package then save it to a file.
+331 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv)
+332 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
+333 $settingsPackageStream.CopyTo($settingsPackage)
+334 $settingsPackage.Close()
+335 }
```
Like the permissions set in the **Configure Permissions** section of the script, the configuration of each Surface UEFI setting is performed by defining the **$uefiV2** variable. For each line defining the **$uefiV2** variable, a Surface UEFI setting is identified by setting name or ID and the configured value is set to **Enabled** or **Disabled**.
-If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 300 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**.
+If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 323 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**.
You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section later in this article.
### Settings registry key
-To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry key that can be used to identify enrolled systems as having been installed with the SEMM configuration script. This key can be found at the following location:
+To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location:
-`HKLM\SOFTWARE\Microsoft\Surface\SEMM\Enabled_Version1000`
+`HKLM\SOFTWARE\Microsoft\Surface\SEMM`
-The following code fragment, found on lines 352-363, is used to write this registry key:
+The following code fragment, found on lines 380-477, is used to write these registry keys:
```
-352 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
-353 New-RegKey $SurfaceRegKey
-354 $SurfaceRegValue = Get-ItemProperty $SurfaceRegKey Enabled_Version1000 -ErrorAction SilentlyContinue
-355
-356 If ($SurfaceRegValue -eq $null)
-357 {
-358 New-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -PropertyType String -Value 1 | Out-Null
-359 }
-360 Else
-361 {
-362 Set-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -Value 1
-363 }
+380 # For SCCM or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
+381 $UTCDate = (Get-Date).ToUniversalTime().ToString()
+382 $certIssuer = $certPrint.Issuer
+383 $certSubject = $certPrint.Subject
+384
+385 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
+386 New-RegKey $SurfaceRegKey
+387 $LSVRegValue = Get-ItemProperty $SurfaceRegKey LSV -ErrorAction SilentlyContinue
+388 $DateTimeRegValue = Get-ItemProperty $SurfaceRegKey LastConfiguredUTC -ErrorAction SilentlyContinue
+389 $OwnershipSessionIdRegValue = Get-ItemProperty $SurfaceRegKey OwnershipSessionId -ErrorAction SilentlyContinue
+390 $PermissionSessionIdRegValue = Get-ItemProperty $SurfaceRegKey PermissionSessionId -ErrorAction SilentlyContinue
+391 $SettingsSessionIdRegValue = Get-ItemProperty $SurfaceRegKey SettingsSessionId -ErrorAction SilentlyContinue
+392 $IsResetRegValue = Get-ItemProperty $SurfaceRegKey IsReset -ErrorAction SilentlyContinue
+393 $certUsedRegValue = Get-ItemProperty $SurfaceRegKey CertName -ErrorAction SilentlyContinue
+394 $certIssuerRegValue = Get-ItemProperty $SurfaceRegKey CertIssuer -ErrorAction SilentlyContinue
+395 $certSubjectRegValue = Get-ItemProperty $SurfaceRegKey CertSubject -ErrorAction SilentlyContinue
+396
+397
+398 If ($LSVRegValue -eq $null)
+399 {
+400 New-ItemProperty -Path $SurfaceRegKey -Name LSV -PropertyType DWORD -Value $lsv | Out-Null
+401 }
+402 Else
+403 {
+404 Set-ItemProperty -Path $SurfaceRegKey -Name LSV -Value $lsv
+405 }
+406
+407 If ($DateTimeRegValue -eq $null)
+408 {
+409 New-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -PropertyType String -Value $UTCDate | Out-Null
+410 }
+411 Else
+412 {
+413 Set-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -Value $UTCDate
+414 }
+415
+416 If ($OwnershipSessionIdRegValue -eq $null)
+417 {
+418 New-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -PropertyType String -Value $ownerSessionIdValue | Out-Null
+419 }
+420 Else
+421 {
+422 Set-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -Value $ownerSessionIdValue
+423 }
+424
+425 If ($PermissionSessionIdRegValue -eq $null)
+426 {
+427 New-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -PropertyType String -Value $permissionSessionIdValue | Out-Null
+428 }
+429 Else
+430 {
+431 Set-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -Value $permissionSessionIdValue
+432 }
+433
+434 If ($SettingsSessionIdRegValue -eq $null)
+435 {
+436 New-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -PropertyType String -Value $settingsSessionIdValue | Out-Null
+437 }
+438 Else
+439 {
+440 Set-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -Value $settingsSessionIdValue
+441 }
+442
+443 If ($IsResetRegValue -eq $null)
+444 {
+445 New-ItemProperty -Path $SurfaceRegKey -Name IsReset -PropertyType DWORD -Value 0 | Out-Null
+446 }
+447 Else
+448 {
+449 Set-ItemProperty -Path $SurfaceRegKey -Name IsReset -Value 0
+450 }
+451
+452 If ($certUsedRegValue -eq $null)
+453 {
+454 New-ItemProperty -Path $SurfaceRegKey -Name CertName -PropertyType String -Value $certName | Out-Null
+455 }
+456 Else
+457 {
+458 Set-ItemProperty -Path $SurfaceRegKey -Name CertName -Value $certName
+459 }
+460
+461 If ($certIssuerRegValue -eq $null)
+462 {
+463 New-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -PropertyType String -Value $certIssuer | Out-Null
+464 }
+465 Else
+466 {
+467 Set-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -Value $certIssuer
+468 }
+469
+470 If ($certSubjectRegValue -eq $null)
+471 {
+472 New-ItemProperty -Path $SurfaceRegKey -Name CertSubject -PropertyType String -Value $certSubject | Out-Null
+473 }
+474 Else
+475 {
+476 Set-ItemProperty -Path $SurfaceRegKey -Name CertSubject -Value $certSubject
+477 }
```
### Settings names and IDs
-To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/en-us/download/details.aspx?id=46703)
+To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/download/details.aspx?id=46703)
The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device.
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index 8134359845..aee66dbdb7 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -19,39 +19,10 @@ Windows Autopilot is a cloud-based deployment technology available in Windows 10
With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows Autopilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process can eliminate need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution.
-In this article learn how to enroll your Surface devices in Windows Autopilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows Autopilot with other devices, or to read more about Windows Autopilot and its capabilities, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library.
-
-## Prerequisites
-Enrollment of Surface devices in Windows Autopilot with a Surface partner enabled for Windows Autopilot has the following licensing requirements for each enrolled Surface device:
-* **Azure Active Directory Premium** – Required to enroll your devices in your organization and to automatically enroll devices in your organization’s mobile management solution.
-* **Mobile Device Management (such as Microsoft Intune)** – Required to remotely deploy applications, configure, and manage your enrolled devices.
-* **Office 365 ProPlus** – Required to deploy Microsoft Office to your enrolled devices.
-
-These requirements are also met by the following solutions:
-* Microsoft 365 E3 or E5 (includes Azure Active Directory Premium, Microsoft Intune, and Office 365 ProPlus)
-
-Or
-* Enterprise Mobility + Security E3 or E5 (includes Azure Active Directory Premium and Microsoft Intune)
-* Office 365 ProPlus, E3, or E5 (includes Office 365 ProPlus)
-
->[!NOTE]
->Deployment of devices using Windows Autopilot to complete the Out-of-Box Experience (OOBE) is supported without these prerequisites, however will yield deployed devices without applications, configuration, or enrollment in a management solution and is highly discouraged.
+In this article learn how to enroll your Surface devices in Windows Autopilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows Autopilot with other devices, or to read more about Windows Autopilot and its capabilities, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library. For information about licensing and other prerequisites, see [Windows Autopilot requirements](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements).
### Windows version considerations
-Support for broad deployments of Surface devices using Windows Autopilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update). Windows 10 Version 1709 uses a secure 4096-bit (4k) hash value to uniquely identify devices for Windows Autopilot that is necessary for deployments at scale.
-
-### Surface device support
-Surface devices with support for out-of-box deployment with Windows Autopilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709:
-
-* Surface Pro (5th gen)
-* Surface Laptop(1st gen)
-* Surface Studio (1st gen)
-* Surface Pro 6
-* Surface Book 2
-* Surface Laptop 2
-* Surface Studio 2
-* Surface Go
-* Surface Go with LTE Advanced
+Support for broad deployments of Surface devices using Windows Autopilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update) or later. These versions support a 4000-byte (4k) hash value to uniquely identify devices for Windows Autopilot that is necessary for deployments at scale. All new Surface devices ship with Windows 10 Version 1709 or above.
## Surface partners enabled for Windows Autopilot
Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
@@ -63,4 +34,3 @@ When you purchase Surface devices from a Surface partner enabled for Windows Aut
- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html)
- [SHI](https://www.shi.com/Surface)
-
diff --git a/education/docfx.json b/education/docfx.json
index c336a4de5b..15587928ef 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -27,6 +27,9 @@
"ROBOTS": "INDEX, FOLLOW",
"audience": "windows-education",
"ms.topic": "article",
+ "ms.technology": "windows",
+ "manager": "laurawi",
+ "audience": "ITPro",
"breadcrumb_path": "/education/breadcrumb/toc.json",
"ms.date": "05/09/2017",
"feedback_system": "GitHub",
diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md
index 5273dbe9ce..8524f4cf8b 100644
--- a/education/get-started/change-history-ms-edu-get-started.md
+++ b/education/get-started/change-history-ms-edu-get-started.md
@@ -6,8 +6,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 07/07/2017
ms.reviewer:
manager: dansimp
diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md
index d6010ad62c..3aedd8379c 100644
--- a/education/get-started/configure-microsoft-store-for-education.md
+++ b/education/get-started/configure-microsoft-store-for-education.md
@@ -5,11 +5,11 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 08/29/2017
ms.reviewer:
manager: dansimp
diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md
index 170c94d505..76b967ae75 100644
--- a/education/get-started/enable-microsoft-teams.md
+++ b/education/get-started/enable-microsoft-teams.md
@@ -5,11 +5,11 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 07/28/2017
ms.reviewer:
manager: dansimp
diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md
index 9495aa1d31..f0bd720e51 100644
--- a/education/get-started/finish-setup-and-other-tasks.md
+++ b/education/get-started/finish-setup-and-other-tasks.md
@@ -5,11 +5,11 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 10/09/2017
ms.reviewer:
manager: dansimp
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index a36cdb45da..e5347813d5 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -5,11 +5,11 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: hero-article
+ms.topic: article
ms.localizationpriority: medium
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 10/09/2017
ms.reviewer:
manager: dansimp
diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index d8c3f7273d..0cd250e3ff 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -9,8 +9,8 @@ ms.topic: article
ms.localizationpriority: medium
ms.pagetype: edu
ROBOTS: noindex,nofollow
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 06/12/2018
ms.reviewer:
manager: dansimp
diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md
index 0d5813061e..64499de75e 100644
--- a/education/get-started/set-up-office365-edu-tenant.md
+++ b/education/get-started/set-up-office365-edu-tenant.md
@@ -5,11 +5,11 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 10/09/2017
ms.reviewer:
manager: dansimp
diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md
index bc564efa41..2bcc88089c 100644
--- a/education/get-started/set-up-windows-10-education-devices.md
+++ b/education/get-started/set-up-windows-10-education-devices.md
@@ -5,11 +5,11 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 10/09/2017
ms.reviewer:
manager: dansimp
@@ -26,6 +26,8 @@ We recommend using the latest build of Windows 10, version 1703 on your educatio
To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options and follow the link to watch the video or follow the step-by-step guide:
- **Option 1: [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
- **Option 2: [Go through Windows OOBE and join the device to Azure AD](set-up-windows-education-devices.md)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
+- **Option 3: [Bulk enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-bulk-enroll)**
+- **Option 4: [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)**
> [!div class="step-by-step"]
> [<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md
index 582134817f..a3175b1d1b 100644
--- a/education/get-started/set-up-windows-education-devices.md
+++ b/education/get-started/set-up-windows-education-devices.md
@@ -5,11 +5,11 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 07/28/2017
ms.reviewer:
manager: dansimp
diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md
index 9a4b451c83..e3e3be043a 100644
--- a/education/get-started/use-intune-for-education.md
+++ b/education/get-started/use-intune-for-education.md
@@ -5,11 +5,11 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 08/29/2017
ms.reviewer:
manager: dansimp
@@ -21,7 +21,7 @@ manager: dansimp
> [<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
> [Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
-Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the Intune for Education documentation.
+Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 and iOS devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the Intune for Education documentation.
## Example - Set up Intune for Education, buy apps from the Store, and install the apps
In this walkthrough, we'll go through a sample scenario and walk you through the steps to:
@@ -221,4 +221,4 @@ You're now done assigning apps to all users in your tenant. It's time to set up
## Related topic
-[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
+[Set up iOS device management](https://docs.microsoft.com/en-us/intune-education/setup-ios-device-management)
diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md
index 6a025b3ff4..6ab9b54cba 100644
--- a/education/get-started/use-school-data-sync.md
+++ b/education/get-started/use-school-data-sync.md
@@ -5,11 +5,11 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 07/10/2017
ms.reviewer:
manager: dansimp
diff --git a/education/index.md b/education/index.md
index f07f216119..c36a33ee36 100644
--- a/education/index.md
+++ b/education/index.md
@@ -1,11 +1,11 @@
----
+---
layout: HubPage
hide_bc: true
title: Microsoft 365 Education documentation and resources | Microsoft Docs
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
-author: CelesteDG
+author: dansimp
ms.topic: hub-page
-ms.author: celested
+ms.author: dansimp
ms.collection: ITAdminEDU
ms.date: 10/30/2017
ms.prod: w10
@@ -26,7 +26,7 @@ ms.prod: w10
**Surface IT Pro Blog**
Get insight into new Surface products plus tips and tricks for IT professionals.
Learn more
**Surface on Microsoft Mechanics**
View technical demos and walkthroughs of Surface devices, features, and functionality.
Get started
**Follow us on Twitter**
Keep up with the latest news and see the latest product demonstrations.
Visit TwitterDeployment Guidance
-
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md
index c91f1c0264..f21a0ddcf4 100644
--- a/education/trial-in-a-box/index.md
+++ b/education/trial-in-a-box/index.md
@@ -1,6 +1,6 @@
---
title: Microsoft Education Trial in a Box
-description: For IT admins, educators, and students, discover what you can do with Microsoft 365 Education. Try it out with our Trial in a Box program.
+description: For IT admins, educators, and students, discover what you can do with Microsoft 365 Education. Try it out with our Trial in a Box program.
keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, IT admin, educator, student, explore, Trial in a Box
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,8 +9,8 @@ ms.topic: article
ms.localizationpriority: medium
ms.pagetype: edu
ROBOTS: noindex,nofollow
-author: CelesteDG
-ms.author: celested
+author: dansimp
+ms.author: dansimp
ms.date: 12/11/2017
---
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index bdb1df0296..1965c6abf7 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -5,12 +5,12 @@ keywords: education, Microsoft 365 Education, trial, full cloud IT solution, sch
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.topic: get-started
+ms.topic: quickstart
ms.localizationpriority: medium
ms.pagetype: edu
ROBOTS: noindex,nofollow
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 03/18/2018
ms.reviewer:
manager: dansimp
@@ -278,4 +278,4 @@ For more information about checking for updates, and how to optionally turn on a
## Get more info
* Learn more at microsoft.com/education
* Find out if your school is eligible for a device trial at aka.ms/EDUTrialInABox
-* Buy Windows 10 devices
+* Buy Windows 10 devices
diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md
index b377719a91..9cb32351de 100644
--- a/education/trial-in-a-box/support-options.md
+++ b/education/trial-in-a-box/support-options.md
@@ -1,6 +1,6 @@
---
title: Microsoft Education Trial in a Box Support
-description: Need help or have a question about using Microsoft Education Trial in a Box? Start here.
+description: Need help or have a question about using Microsoft Education Trial in a Box? Start here.
keywords: support, troubleshooting, education, Microsoft 365 Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,8 +9,8 @@ ms.topic: article
ms.localizationpriority: medium
ms.pagetype: edu
ROBOTS: noindex,nofollow
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 03/18/2018
ms.reviewer:
manager: dansimp
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index 2c11c122c4..ecc1f3f77c 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 06/27/2018
ms.reviewer:
manager: dansimp
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index b3dd38357b..9302c8fdb4 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -6,8 +6,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 05/21/2019
ms.reviewer:
manager: dansimp
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index da30be64ef..e40ce61ea7 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 05/21/2019
ms.reviewer:
manager: dansimp
@@ -37,7 +37,7 @@ Before you change to Windows 10 Pro Education, make sure you meet these requirem
- The user making the changes must be a member of the Azure AD global administrator group.
## Compare Windows 10 Pro and Pro Education editions
-You can [compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
+You can [compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
For more info about Windows 10 default settings and recommendations for education customers, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
@@ -314,6 +314,6 @@ For more information about integrating on-premises AD DS domains with Azure AD,
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
[Windows 10 subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation)
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 9769d7a3bf..051954b11f 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -10,8 +10,8 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu, devices
ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 10/13/2017
---
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 1cb747217a..688b66c92b 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -7,8 +7,8 @@ ms.sitesec: library
ms.prod: w10
ms.pagetype: edu
ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 08/31/2017
ms.reviewer:
manager: dansimp
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index bb621c32d8..43b68e46ad 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: plan
ms.pagetype: edu
ms.sitesec: library
ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.reviewer:
manager: dansimp
---
@@ -26,7 +26,7 @@ This guide shows you how to deploy the Windows 10 operating system in a school d
Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
->**Note** This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management).
+>**Note** This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management).
### Plan a typical district configuration
@@ -115,7 +115,7 @@ The configuration process requires the following devices:
* **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the System Center Configuration Manager Console on this device.
* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices.
- You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/en-us/windows/view-all).
+ You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all).
* **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
* **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
@@ -550,7 +550,7 @@ In this section, you installed the Windows ADK and MDT on the admin device. You
Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. They also use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
-As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx).
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/education/products/office-365-deployment-resources/default.aspx).
### Select the appropriate Office 365 Education license plan
@@ -991,7 +991,7 @@ Depending on your school’s requirements, you may need any combination of the f
>**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades).
-For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index f1696a220d..3cfeafb6d3 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: plan
ms.pagetype: edu
ms.sitesec: library
ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.reviewer:
manager: dansimp
---
@@ -164,7 +164,7 @@ In this section, you installed the Windows ADK and MDT on the admin device. You
Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
-As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx).
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/education/products/office-365-deployment-resources/default.aspx).
### Select the appropriate Office 365 Education license plan
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index cb30050aa8..1f3bcffff3 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -5,8 +5,8 @@ keywords: Windows 10 deployment, recommendations, privacy settings, school
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 10/13/2017
ms.reviewer:
manager: dansimp
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 5598256e19..3149237ba1 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -6,10 +6,10 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
-searchScope:
+searchScope:
- Store
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 03/30/2018
ms.reviewer:
manager: dansimp
diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md
index 0862548ea6..0b7fc8c617 100644
--- a/education/windows/enable-s-mode-on-surface-go-devices.md
+++ b/education/windows/enable-s-mode-on-surface-go-devices.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+author: dansimp
+ms.author: dansimp
ms.date: 07/30/2018
ms.reviewer:
manager: dansimp
diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md
index 4864b6d4a0..bafc4ed6ae 100644
--- a/education/windows/get-minecraft-device-promotion.md
+++ b/education/windows/get-minecraft-device-promotion.md
@@ -6,10 +6,10 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
-author: levinec
-searchScope:
+author: dansimp
+searchScope:
- Store
-ms.author: ellevin
+ms.author: dansimp
ms.date: 06/05/2018
ms.reviewer:
manager: dansimp
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 0908c78b04..7037b5ce14 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -6,10 +6,10 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
-author: levinec
-searchScope:
+author: dansimp
+searchScope:
- Store
-ms.author: ellevin
+ms.author: dansimp
ms.date: 01/29/2019
ms.reviewer:
manager: dansimp
diff --git a/education/windows/index.md b/education/windows/index.md
index 0f1dedb139..b40b009575 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: CelesteDG
-ms.author: celested
+author: dansimp
+ms.author: dansimp
ms.date: 10/13/2017
---
@@ -19,8 +19,8 @@ ms.date: 10/13/2017
##  Learn
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
Find out more about the features and functionality we support in each edition of Windows.
When you've made your decision, find out how to buy Windows for your school.
Find out more about the features and functionality we support in each edition of Windows.
When you've made your decision, find out how to buy Windows for your school.
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 00a5baee8a..515bfff44f 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -6,10 +6,10 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
-author: levinec
-searchScope:
+author: dansimp
+searchScope:
- Store
-ms.author: ellevin
+ms.author: dansimp
ms.date: 01/30/2019
ms.reviewer:
manager: dansimp
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index 7b8f55bb14..6d62b6bb55 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -1,14 +1,14 @@
----
-title: Azure AD Join with Set up School PCs app
-description: Describes how Azure AD Join is configured in the Set up School PCs app.
-keywords: shared cart, shared PC, school, set up school pcs
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
+---
+title: Azure AD Join with Set up School PCs app
+description: Describes how Azure AD Join is configured in the Set up School PCs app.
+keywords: shared cart, shared PC, school, set up school pcs
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: medium
+author: dansimp
+ms.author: dansimp
ms.date: 01/11/2019
ms.reviewer:
manager: dansimp
diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md
index 48a2aa9549..12bbf4fc89 100644
--- a/education/windows/set-up-school-pcs-provisioning-package.md
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@@ -1,15 +1,15 @@
----
-title: What's in Set up School PCs provisioning package
-description: Lists the provisioning package settings that are configured in the Set up School PCs app.
-keywords: shared cart, shared PC, school, set up school pcs
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu
-ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
-ms.date: 10/17/2018
+---
+title: What's in Set up School PCs provisioning package
+description: Lists the provisioning package settings that are configured in the Set up School PCs app.
+keywords: shared cart, shared PC, school, set up school pcs
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: medium
+author: dansimp
+ms.author: dansimp
+ms.date: 10/17/2018
ms.reviewer:
manager: dansimp
---
diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md
index 50b01da4f3..2ac3eb11d0 100644
--- a/education/windows/set-up-school-pcs-shared-pc-mode.md
+++ b/education/windows/set-up-school-pcs-shared-pc-mode.md
@@ -1,15 +1,15 @@
----
-title: Shared PC mode for school devices
-description: Describes how shared PC mode is set for devices set up with the Set up School PCs app.
-keywords: shared cart, shared PC, school, set up school pcs
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu
-ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
-ms.date: 07/13/2018
+---
+title: Shared PC mode for school devices
+description: Describes how shared PC mode is set for devices set up with the Set up School PCs app.
+keywords: shared cart, shared PC, school, set up school pcs
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: medium
+author: dansimp
+ms.author: dansimp
+ms.date: 07/13/2018
ms.reviewer:
manager: dansimp
---
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index ab45a9f0a7..67c378fb9f 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 07/11/2018
ms.reviewer:
manager: dansimp
diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md
index 27ca52dfd3..fa888ab81c 100644
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@@ -1,15 +1,15 @@
----
-title: What's new in the Windows Set up School PCs app
-description: Find out about app updates and new features in Set up School PCs.
-keywords: shared cart, shared PC, school, set up school pcs
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu
-ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
-ms.date: 06/03/2019
+---
+title: What's new in the Windows Set up School PCs app
+description: Find out about app updates and new features in Set up School PCs.
+keywords: shared cart, shared PC, school, set up school pcs
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: medium
+author: dansimp
+ms.author: dansimp
+ms.date: 08/15/2019
ms.reviewer:
manager: dansimp
---
@@ -17,6 +17,15 @@ manager: dansimp
# What's new in Set up School PCs
Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, and see updated screenshots. You'll also find information about past releases.
+
+## Week of June 24, 2019
+
+### Resumed support for Windows 10, version 1903 and later
+The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app.
+
+### Device rename made optional for Azure AD joined devices
+When you set up your Azure AD join devices in the Set up School PCs app, you no longer need to rename your devices. Set up School PCs will let you keep existing device names.
+
## Week of May 23, 2019
### Suspended support for Windows 10, version 1903 and later
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 3842e9d435..0ebe308f14 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -6,8 +6,8 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 8f09eb0561..c711403393 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -7,8 +7,8 @@ ms.pagetype: edu
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 10/13/2017
ms.reviewer:
manager: dansimp
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index eaa22faf91..b401df97ef 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
@@ -20,9 +20,9 @@ manager: dansimp
- Windows 10
You have two tools to choose from to set up PCs for your classroom:
- * Set up School PCs
- * Windows Configuration Designer
-
+* Set up School PCs
+* Windows Configuration Designer
+
Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account).
You can use the following diagram to compare the tools.
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 7106de6cfd..9f006e7a88 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 11/28/2017
ms.reviewer:
manager: dansimp
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index ac67906e9b..c49e6ea21f 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 11/08/2017
ms.reviewer:
manager: dansimp
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index bb20a3760e..41fbb7b7fd 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 11/08/2017
ms.reviewer:
manager: dansimp
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index cad3303266..4ff027e388 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 10/16/2017
ms.reviewer:
manager: dansimp
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 838aa85226..501e3f3249 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -6,10 +6,10 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
-author: mjcaparas
-searchScope:
+author: dansimp
+searchScope:
- Store
-ms.author: macapara
+ms.author: dansimp
ms.date: 01/05/2018
ms.reviewer:
manager: dansimp
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index 8f8f6c6aa2..2b64a32bd1 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -7,8 +7,8 @@ ms.prod: w10
ms.pagetype: edu
ms.sitesec: library
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 07/30/2019
ms.reviewer:
manager: dansimp
@@ -51,7 +51,7 @@ Due to these reasons, we recommend that you use the installation tool and avoid
Before you install Windows 10 in S mode on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device:
* Make sure that you updated your existing device to Windows 10, version 1703 (Creators Update).
- See [Download Windows 10](https://www.microsoft.com/en-us/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
+ See [Download Windows 10](https://www.microsoft.com/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
* Install the latest Windows Update.
@@ -184,7 +184,7 @@ If you see this message, follow these steps to stop receiving the message:
To use an installation media to reinstall Windows 10, follow these steps.
-1. On a working PC, go to the [Microsoft software download website](https://www.microsoft.com/en-us/software-download/windows10).
+1. On a working PC, go to the [Microsoft software download website](https://www.microsoft.com/software-download/windows10).
2. Download the Media Creation Tool and then run it.
3. Select **Create installation media for another PC**.
4. Choose a language, edition, and architecture (64-bit or 32-bit).
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 1af547f463..3f31119391 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 10/23/2018
ms.reviewer:
manager: dansimp
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index 52a4aa6bb6..80555a4b90 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.date: 05/21/2019
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/TOC.md b/mdop/agpm/TOC.md
index 1443cf78ae..319eeaf746 100644
--- a/mdop/agpm/TOC.md
+++ b/mdop/agpm/TOC.md
@@ -240,5 +240,6 @@
###### [AGPM Server Connection Settings](agpm-server-connection-settings.md)
###### [Feature Visibility Settings](feature-visibility-settings.md)
##### [Other Enhancements to the GPMC](other-enhancements-to-the-gpmc.md)
+## [Troubleshooting AGPM Upgrades](troubleshooting-agpm40-upgrades.md)
## [Resources for AGPM](resources-for-agpm.md)
diff --git a/mdop/agpm/administrative-template-settings.md b/mdop/agpm/administrative-template-settings.md
index 80b6ac71d2..ba47c7e2f0 100644
--- a/mdop/agpm/administrative-template-settings.md
+++ b/mdop/agpm/administrative-template-settings.md
@@ -1,7 +1,7 @@
---
title: Administrative Template Settings
description: Administrative Template Settings
-author: mjcaparas
+author: dansimp
ms.assetid: 1abbf0c1-fd32-46a8-a3ba-c005f066523d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/administrative-templates-folder-agpm30ops.md b/mdop/agpm/administrative-templates-folder-agpm30ops.md
index 5e0fc9628c..2a83078fab 100644
--- a/mdop/agpm/administrative-templates-folder-agpm30ops.md
+++ b/mdop/agpm/administrative-templates-folder-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Administrative Templates Folder
description: Administrative Templates Folder
-author: mjcaparas
+author: dansimp
ms.assetid: 0cc5b570-b6d3-4841-9646-02521c13519c
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/administrative-templates-folder-agpm40.md b/mdop/agpm/administrative-templates-folder-agpm40.md
index f40c1aca18..ad14b8a812 100644
--- a/mdop/agpm/administrative-templates-folder-agpm40.md
+++ b/mdop/agpm/administrative-templates-folder-agpm40.md
@@ -1,7 +1,7 @@
---
title: Administrative Templates Folder
description: Administrative Templates Folder
-author: mjcaparas
+author: dansimp
ms.assetid: abc41968-4505-4b09-94f2-67ee0e6c9aaf
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/advanced-group-policy-management-40.md b/mdop/agpm/advanced-group-policy-management-40.md
index 0ea0886272..eee54f15cc 100644
--- a/mdop/agpm/advanced-group-policy-management-40.md
+++ b/mdop/agpm/advanced-group-policy-management-40.md
@@ -1,7 +1,7 @@
---
title: Advanced Group Policy Management 4.0
description: Advanced Group Policy Management 4.0
-author: mjcaparas
+author: dansimp
ms.assetid: 9873a1f7-97fc-4546-9538-b4c0308529c0
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-25-navengl.md b/mdop/agpm/agpm-25-navengl.md
index 6b407bf5e4..f670327ad5 100644
--- a/mdop/agpm/agpm-25-navengl.md
+++ b/mdop/agpm/agpm-25-navengl.md
@@ -1,7 +1,7 @@
---
title: AGPM 2.5
description: AGPM 2.5
-author: mjcaparas
+author: dansimp
ms.assetid: 6db42f2e-88b2-4305-ab6b-d3cd0c5d686c
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-3-navengl.md b/mdop/agpm/agpm-3-navengl.md
index fd7734162e..c9bd8c14e6 100644
--- a/mdop/agpm/agpm-3-navengl.md
+++ b/mdop/agpm/agpm-3-navengl.md
@@ -1,7 +1,7 @@
---
title: AGPM 3
description: AGPM 3
-author: mjcaparas
+author: dansimp
ms.assetid: b0d0051d-2900-4a0f-8307-552ad26b0e3b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-4-navengl.md b/mdop/agpm/agpm-4-navengl.md
index dbf263cc72..b74ee375cb 100644
--- a/mdop/agpm/agpm-4-navengl.md
+++ b/mdop/agpm/agpm-4-navengl.md
@@ -1,7 +1,7 @@
---
title: AGPM 4
description: AGPM 4
-author: mjcaparas
+author: dansimp
ms.assetid: 81693f30-1b8e-4e63-b1ac-e6de1bc30cc0
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-40-sp1-navengl.md b/mdop/agpm/agpm-40-sp1-navengl.md
index 03a4a2a65d..4dc1d9c084 100644
--- a/mdop/agpm/agpm-40-sp1-navengl.md
+++ b/mdop/agpm/agpm-40-sp1-navengl.md
@@ -1,7 +1,7 @@
---
title: AGPM 4.0 SP1
description: AGPM 4.0 SP1
-author: mjcaparas
+author: dansimp
ms.assetid: 4e55d9e6-635c-4ba6-acbb-ed1d1b580a5b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-40-sp2-navengl.md b/mdop/agpm/agpm-40-sp2-navengl.md
index 49ac51fa2d..3722b06033 100644
--- a/mdop/agpm/agpm-40-sp2-navengl.md
+++ b/mdop/agpm/agpm-40-sp2-navengl.md
@@ -1,7 +1,7 @@
---
title: AGPM 4.0 SP2
description: AGPM 4.0 SP2
-author: mjcaparas
+author: dansimp
ms.assetid: 915c9791-ac07-43db-bd53-957b641c700f
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-40-sp3-navengl.md b/mdop/agpm/agpm-40-sp3-navengl.md
index 336886046c..36960dfbb9 100644
--- a/mdop/agpm/agpm-40-sp3-navengl.md
+++ b/mdop/agpm/agpm-40-sp3-navengl.md
@@ -1,7 +1,7 @@
---
title: AGPM 4.0 SP3
description: AGPM 4.0 SP3
-author: mjcaparas
+author: dansimp
ms.assetid: cd80eea9-601f-4e45-b89e-c3904addee37
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-server-connection-settings-agpm30ops.md b/mdop/agpm/agpm-server-connection-settings-agpm30ops.md
index 60c6b4b4ab..b1137e1bc4 100644
--- a/mdop/agpm/agpm-server-connection-settings-agpm30ops.md
+++ b/mdop/agpm/agpm-server-connection-settings-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: AGPM Server Connection Settings
description: AGPM Server Connection Settings
-author: mjcaparas
+author: dansimp
ms.assetid: 5f03e397-b868-4c49-9cbf-a5f5d0ddcc39
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-server-connection-settings-agpm40.md b/mdop/agpm/agpm-server-connection-settings-agpm40.md
index cd4a015986..e804960bbd 100644
--- a/mdop/agpm/agpm-server-connection-settings-agpm40.md
+++ b/mdop/agpm/agpm-server-connection-settings-agpm40.md
@@ -1,7 +1,7 @@
---
title: AGPM Server Connection Settings
description: AGPM Server Connection Settings
-author: mjcaparas
+author: dansimp
ms.assetid: cc67f122-6309-4820-92c2-f6a27d897123
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-server-connection-settings.md b/mdop/agpm/agpm-server-connection-settings.md
index a303704f78..613bb7281f 100644
--- a/mdop/agpm/agpm-server-connection-settings.md
+++ b/mdop/agpm/agpm-server-connection-settings.md
@@ -1,7 +1,7 @@
---
title: AGPM Server Connection Settings
description: AGPM Server Connection Settings
-author: mjcaparas
+author: dansimp
ms.assetid: faf78e5b-2b0d-4069-9b8c-910add892200
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-server-tab-agpm30ops.md b/mdop/agpm/agpm-server-tab-agpm30ops.md
index 184530ce23..11f742945d 100644
--- a/mdop/agpm/agpm-server-tab-agpm30ops.md
+++ b/mdop/agpm/agpm-server-tab-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: AGPM Server Tab
description: AGPM Server Tab
-author: mjcaparas
+author: dansimp
ms.assetid: fb3b0265-53ed-4bf6-88a4-c409f5f1bed4
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-server-tab-agpm40.md b/mdop/agpm/agpm-server-tab-agpm40.md
index 6e0807ad30..e7cc510fdb 100644
--- a/mdop/agpm/agpm-server-tab-agpm40.md
+++ b/mdop/agpm/agpm-server-tab-agpm40.md
@@ -1,7 +1,7 @@
---
title: AGPM Server Tab
description: AGPM Server Tab
-author: mjcaparas
+author: dansimp
ms.assetid: a6689437-233e-4f33-a0d6-f7d432c96c00
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/agpm-server-tab.md b/mdop/agpm/agpm-server-tab.md
index f009fdd1b3..8fa23f34ae 100644
--- a/mdop/agpm/agpm-server-tab.md
+++ b/mdop/agpm/agpm-server-tab.md
@@ -1,7 +1,7 @@
---
title: AGPM Server Tab
description: AGPM Server Tab
-author: mjcaparas
+author: dansimp
ms.assetid: ce4490b7-b564-49af-8962-858ee39e0016
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/approve-or-reject-a-pending-action-agpm30ops.md b/mdop/agpm/approve-or-reject-a-pending-action-agpm30ops.md
index 90d438d2f0..e46c90285d 100644
--- a/mdop/agpm/approve-or-reject-a-pending-action-agpm30ops.md
+++ b/mdop/agpm/approve-or-reject-a-pending-action-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Approve or Reject a Pending Action
description: Approve or Reject a Pending Action
-author: mjcaparas
+author: dansimp
ms.assetid: 6d78989a-b600-4876-9dd9-bc6207ff2ce7
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/approve-or-reject-a-pending-action-agpm40.md b/mdop/agpm/approve-or-reject-a-pending-action-agpm40.md
index cba1a90592..fcea90cd4b 100644
--- a/mdop/agpm/approve-or-reject-a-pending-action-agpm40.md
+++ b/mdop/agpm/approve-or-reject-a-pending-action-agpm40.md
@@ -1,7 +1,7 @@
---
title: Approve or Reject a Pending Action
description: Approve or Reject a Pending Action
-author: mjcaparas
+author: dansimp
ms.assetid: 078ea8b5-9ac5-45fc-9ac1-a1aa629c10b4
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/approve-or-reject-a-pending-action.md b/mdop/agpm/approve-or-reject-a-pending-action.md
index 08603a71fc..b86ec7dc7b 100644
--- a/mdop/agpm/approve-or-reject-a-pending-action.md
+++ b/mdop/agpm/approve-or-reject-a-pending-action.md
@@ -1,7 +1,7 @@
---
title: Approve or Reject a Pending Action
description: Approve or Reject a Pending Action
-author: mjcaparas
+author: dansimp
ms.assetid: 22921a51-50fb-4a47-bec1-4f563f523675
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/back-up-the-archive-agpm40.md b/mdop/agpm/back-up-the-archive-agpm40.md
index e07a0de456..2d6683352f 100644
--- a/mdop/agpm/back-up-the-archive-agpm40.md
+++ b/mdop/agpm/back-up-the-archive-agpm40.md
@@ -1,7 +1,7 @@
---
title: Back Up the Archive
description: Back Up the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: 538d85eb-3596-4c1d-bbd7-26bc28857c28
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/back-up-the-archive.md b/mdop/agpm/back-up-the-archive.md
index a85193dcac..424db72881 100644
--- a/mdop/agpm/back-up-the-archive.md
+++ b/mdop/agpm/back-up-the-archive.md
@@ -1,7 +1,7 @@
---
title: Back Up the Archive
description: Back Up the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: 400176da-3518-4475-ad19-c96cda6ca7ba
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/best-practices-for-version-control-agpm40.md b/mdop/agpm/best-practices-for-version-control-agpm40.md
index 92a272c0d4..f44e46fe21 100644
--- a/mdop/agpm/best-practices-for-version-control-agpm40.md
+++ b/mdop/agpm/best-practices-for-version-control-agpm40.md
@@ -1,7 +1,7 @@
---
title: Best Practices for Version Control
description: Best Practices for Version Control
-author: mjcaparas
+author: dansimp
ms.assetid: 4a2a1ac7-67f3-4ba3-ab07-860d33da0efe
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/best-practices-for-version-control.md b/mdop/agpm/best-practices-for-version-control.md
index 0ec09f3051..74572fe88d 100644
--- a/mdop/agpm/best-practices-for-version-control.md
+++ b/mdop/agpm/best-practices-for-version-control.md
@@ -1,7 +1,7 @@
---
title: Best Practices for Version Control
description: Best Practices for Version Control
-author: mjcaparas
+author: dansimp
ms.assetid: 89067f6a-f7ea-4dad-999d-118284cf6c5a
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/check-in-a-gpo-agpm30ops.md b/mdop/agpm/check-in-a-gpo-agpm30ops.md
index 399b6e1604..785c61aefc 100644
--- a/mdop/agpm/check-in-a-gpo-agpm30ops.md
+++ b/mdop/agpm/check-in-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Check In a GPO
description: Check In a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 437397db-c94b-4940-b1a4-05442619ebee
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/check-in-a-gpo-agpm40.md b/mdop/agpm/check-in-a-gpo-agpm40.md
index 1353c657f0..2c44785dfd 100644
--- a/mdop/agpm/check-in-a-gpo-agpm40.md
+++ b/mdop/agpm/check-in-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Check In a GPO
description: Check In a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: b838c8a2-eb9e-4e5b-8740-d7701a4294ac
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/check-in-a-gpo-approver.md b/mdop/agpm/check-in-a-gpo-approver.md
index 1b264c6d74..eae694f22d 100644
--- a/mdop/agpm/check-in-a-gpo-approver.md
+++ b/mdop/agpm/check-in-a-gpo-approver.md
@@ -1,7 +1,7 @@
---
title: Check In a GPO
description: Check In a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: e428cfff-651f-4903-bf01-d742714d2fa9
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/checklist-administer-the-agpm-server-and-archive-agpm40.md b/mdop/agpm/checklist-administer-the-agpm-server-and-archive-agpm40.md
index 4b298d6115..84166e43be 100644
--- a/mdop/agpm/checklist-administer-the-agpm-server-and-archive-agpm40.md
+++ b/mdop/agpm/checklist-administer-the-agpm-server-and-archive-agpm40.md
@@ -1,7 +1,7 @@
---
title: Checklist Administer the AGPM Server and Archive
description: Checklist Administer the AGPM Server and Archive
-author: mjcaparas
+author: dansimp
ms.assetid: d9c60203-90c2-48a7-9318-197e0ec5038b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/checklist-administer-the-agpm-server-and-archive.md b/mdop/agpm/checklist-administer-the-agpm-server-and-archive.md
index 51a6f1f128..918d0e79f3 100644
--- a/mdop/agpm/checklist-administer-the-agpm-server-and-archive.md
+++ b/mdop/agpm/checklist-administer-the-agpm-server-and-archive.md
@@ -1,7 +1,7 @@
---
title: Checklist Administer the AGPM Server and Archive
description: Checklist Administer the AGPM Server and Archive
-author: mjcaparas
+author: dansimp
ms.assetid: 0b2eb536-c3cc-462f-a42f-27a53f57bc55
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm30ops.md b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm30ops.md
index 25fa7701f1..5d035608be 100644
--- a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm30ops.md
+++ b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Checklist Create, Edit, and Deploy a GPO
description: Checklist Create, Edit, and Deploy a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: a7a17706-304a-4455-9ada-52508ec620f1
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40.md b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40.md
index a95a9654f7..f64e3178eb 100644
--- a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40.md
+++ b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Checklist Create, Edit, and Deploy a GPO
description: Checklist Create, Edit, and Deploy a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 44631bed-16d2-4b5a-af70-17a73fb5f6af
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo.md b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo.md
index fcb032c722..1c05b3d735 100644
--- a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo.md
+++ b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo.md
@@ -1,7 +1,7 @@
---
title: Checklist Create, Edit, and Deploy a GPO
description: Checklist Create, Edit, and Deploy a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 614e2d9a-c18b-4f62-99fd-e17a2ac8559d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/choosing-which-version-of-agpm-to-install.md b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
index c5b9d72127..9f4c03d4bf 100644
--- a/mdop/agpm/choosing-which-version-of-agpm-to-install.md
+++ b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
@@ -1,7 +1,7 @@
---
title: Choosing Which Version of AGPM to Install
description: Choosing Which Version of AGPM to Install
-author: mjcaparas
+author: dansimp
ms.assetid: 31357d2a-bc23-4e15-93f4-0beda8ab7a7b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/common-secondary-tab-features.md b/mdop/agpm/common-secondary-tab-features.md
index 7383568174..b723efba3f 100644
--- a/mdop/agpm/common-secondary-tab-features.md
+++ b/mdop/agpm/common-secondary-tab-features.md
@@ -1,7 +1,7 @@
---
title: Common Secondary Tab Features
description: Common Secondary Tab Features
-author: mjcaparas
+author: dansimp
ms.assetid: 44a15c28-944c-49c1-8534-115ce1c362ed
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-agpm-server-connections-agpm30ops.md b/mdop/agpm/configure-agpm-server-connections-agpm30ops.md
index 14cb1c8009..74dc22dd7f 100644
--- a/mdop/agpm/configure-agpm-server-connections-agpm30ops.md
+++ b/mdop/agpm/configure-agpm-server-connections-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Configure AGPM Server Connections
description: Configure AGPM Server Connections
-author: mjcaparas
+author: dansimp
ms.assetid: 6062b77b-2fd7-442c-ad1b-6f14419ebd5f
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-agpm-server-connections-agpm40.md b/mdop/agpm/configure-agpm-server-connections-agpm40.md
index f830c94dae..b4e7744dc7 100644
--- a/mdop/agpm/configure-agpm-server-connections-agpm40.md
+++ b/mdop/agpm/configure-agpm-server-connections-agpm40.md
@@ -1,7 +1,7 @@
---
title: Configure AGPM Server Connections
description: Configure AGPM Server Connections
-author: mjcaparas
+author: dansimp
ms.assetid: bbbb15e8-35e7-403c-b695-7a6ebeb87839
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-an-agpm-server-connection-agpm40.md b/mdop/agpm/configure-an-agpm-server-connection-agpm40.md
index 1d27c35dd9..20fa0ad21e 100644
--- a/mdop/agpm/configure-an-agpm-server-connection-agpm40.md
+++ b/mdop/agpm/configure-an-agpm-server-connection-agpm40.md
@@ -1,7 +1,7 @@
---
title: Configure an AGPM Server Connection
description: Configure an AGPM Server Connection
-author: mjcaparas
+author: dansimp
ms.assetid: 409cbbcf-3b0e-459d-9bd2-75cb7b9430b0
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-an-agpm-server-connection-reviewer-agpm30ops.md b/mdop/agpm/configure-an-agpm-server-connection-reviewer-agpm30ops.md
index 4941464778..e8003ab16d 100644
--- a/mdop/agpm/configure-an-agpm-server-connection-reviewer-agpm30ops.md
+++ b/mdop/agpm/configure-an-agpm-server-connection-reviewer-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Configure an AGPM Server Connection
description: Configure an AGPM Server Connection
-author: mjcaparas
+author: dansimp
ms.assetid: ae78dc74-111d-4509-b0a6-e8b8b451c22a
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-e-mail-notification-agpm30ops.md b/mdop/agpm/configure-e-mail-notification-agpm30ops.md
index c1e769ec3e..02ef47c3f7 100644
--- a/mdop/agpm/configure-e-mail-notification-agpm30ops.md
+++ b/mdop/agpm/configure-e-mail-notification-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Configure E-Mail Notification
description: Configure E-Mail Notification
-author: mjcaparas
+author: dansimp
ms.assetid: b32ce395-d1b9-4c5b-b765-97cdbf455f9e
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-e-mail-notification-agpm40.md b/mdop/agpm/configure-e-mail-notification-agpm40.md
index 10119ff76f..b126a1fc3c 100644
--- a/mdop/agpm/configure-e-mail-notification-agpm40.md
+++ b/mdop/agpm/configure-e-mail-notification-agpm40.md
@@ -1,7 +1,7 @@
---
title: Configure E-Mail Notification
description: Configure E-Mail Notification
-author: mjcaparas
+author: dansimp
ms.assetid: 06f19556-f296-4a80-86a4-4f446c992204
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-e-mail-notification.md b/mdop/agpm/configure-e-mail-notification.md
index 865b510ca2..e133904f01 100644
--- a/mdop/agpm/configure-e-mail-notification.md
+++ b/mdop/agpm/configure-e-mail-notification.md
@@ -1,7 +1,7 @@
---
title: Configure E-Mail Notification
description: Configure E-Mail Notification
-author: mjcaparas
+author: dansimp
ms.assetid: 6e152de0-4376-4963-8d1a-3e7f5866d30f
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-e-mail-security-for-agpm-agpm30ops.md b/mdop/agpm/configure-e-mail-security-for-agpm-agpm30ops.md
index 4e4802cb36..bc53e8aa80 100644
--- a/mdop/agpm/configure-e-mail-security-for-agpm-agpm30ops.md
+++ b/mdop/agpm/configure-e-mail-security-for-agpm-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Configure E-Mail Security for AGPM
description: Configure E-Mail Security for AGPM
-author: mjcaparas
+author: dansimp
ms.assetid: 4850ed8e-a1c6-43f0-95c5-853aa66a94ae
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-e-mail-security-for-agpm-agpm40.md b/mdop/agpm/configure-e-mail-security-for-agpm-agpm40.md
index e4c204dcf0..faab3fd398 100644
--- a/mdop/agpm/configure-e-mail-security-for-agpm-agpm40.md
+++ b/mdop/agpm/configure-e-mail-security-for-agpm-agpm40.md
@@ -1,7 +1,7 @@
---
title: Configure E-Mail Security for AGPM
description: Configure E-Mail Security for AGPM
-author: mjcaparas
+author: dansimp
ms.assetid: b9c48894-0a10-4d03-8027-50ed3b02485a
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-logging-and-tracing-agpm30ops.md b/mdop/agpm/configure-logging-and-tracing-agpm30ops.md
index 2fd5e988c9..a47217417b 100644
--- a/mdop/agpm/configure-logging-and-tracing-agpm30ops.md
+++ b/mdop/agpm/configure-logging-and-tracing-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Configure Logging and Tracing
description: Configure Logging and Tracing
-author: mjcaparas
+author: dansimp
ms.assetid: 4f89552f-e949-48b0-9325-23746034eaa4
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-logging-and-tracing-agpm40.md b/mdop/agpm/configure-logging-and-tracing-agpm40.md
index 69c630de77..e3906f9cf6 100644
--- a/mdop/agpm/configure-logging-and-tracing-agpm40.md
+++ b/mdop/agpm/configure-logging-and-tracing-agpm40.md
@@ -1,7 +1,7 @@
---
title: Configure Logging and Tracing
description: Configure Logging and Tracing
-author: mjcaparas
+author: dansimp
ms.assetid: 2418cb6a-7189-4080-8fe2-9c8d47dec62c
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-logging-and-tracing.md b/mdop/agpm/configure-logging-and-tracing.md
index 5146b45a14..9ee2278316 100644
--- a/mdop/agpm/configure-logging-and-tracing.md
+++ b/mdop/agpm/configure-logging-and-tracing.md
@@ -1,7 +1,7 @@
---
title: Configure Logging and Tracing
description: Configure Logging and Tracing
-author: mjcaparas
+author: dansimp
ms.assetid: 419231f9-e9db-4f91-a7cf-a0a73db25256
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-the-agpm-server-connection-reviewer.md b/mdop/agpm/configure-the-agpm-server-connection-reviewer.md
index e4c102ba9e..57d5dc665d 100644
--- a/mdop/agpm/configure-the-agpm-server-connection-reviewer.md
+++ b/mdop/agpm/configure-the-agpm-server-connection-reviewer.md
@@ -1,7 +1,7 @@
---
title: Configure the AGPM Server Connection
description: Configure the AGPM Server Connection
-author: mjcaparas
+author: dansimp
ms.assetid: 74e8f348-a8ed-4d69-a8e0-9c974aaeca2d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configure-the-agpm-server-connection.md b/mdop/agpm/configure-the-agpm-server-connection.md
index 80bef3aea5..afcbe48f4f 100644
--- a/mdop/agpm/configure-the-agpm-server-connection.md
+++ b/mdop/agpm/configure-the-agpm-server-connection.md
@@ -1,7 +1,7 @@
---
title: Configure the AGPM Server Connection
description: Configure the AGPM Server Connection
-author: mjcaparas
+author: dansimp
ms.assetid: 9a42b5bc-41be-44ef-a6e2-6f56e2cf1996
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configuring-advanced-group-policy-management-agpm40.md b/mdop/agpm/configuring-advanced-group-policy-management-agpm40.md
index fa059fc59e..d75d6e0e98 100644
--- a/mdop/agpm/configuring-advanced-group-policy-management-agpm40.md
+++ b/mdop/agpm/configuring-advanced-group-policy-management-agpm40.md
@@ -1,7 +1,7 @@
---
title: Configuring Advanced Group Policy Management
description: Configuring Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: 8c978ddf-2789-44e4-9c08-de7b4cd1afa0
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/configuring-advanced-group-policy-management.md b/mdop/agpm/configuring-advanced-group-policy-management.md
index a8b8d92728..207e7d745b 100644
--- a/mdop/agpm/configuring-advanced-group-policy-management.md
+++ b/mdop/agpm/configuring-advanced-group-policy-management.md
@@ -1,7 +1,7 @@
---
title: Configuring Advanced Group Policy Management
description: Configuring Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: 836f4a49-2c77-4f6b-8727-9df7ef443141
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/contents-tab-agpm30ops.md b/mdop/agpm/contents-tab-agpm30ops.md
index 8ab5fc8894..ca23b55b63 100644
--- a/mdop/agpm/contents-tab-agpm30ops.md
+++ b/mdop/agpm/contents-tab-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Contents Tab
description: Contents Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 6ada6430-cd93-47aa-af6e-d7f5b5620132
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/contents-tab-agpm40.md b/mdop/agpm/contents-tab-agpm40.md
index 6f2c059b3e..d7f2b51096 100644
--- a/mdop/agpm/contents-tab-agpm40.md
+++ b/mdop/agpm/contents-tab-agpm40.md
@@ -1,7 +1,7 @@
---
title: Contents Tab
description: Contents Tab
-author: mjcaparas
+author: dansimp
ms.assetid: cf9d1f17-3c3d-422f-bd6b-3db87be45554
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/contents-tab-features-agpm30ops.md b/mdop/agpm/contents-tab-features-agpm30ops.md
index 217b586426..b0103aeb44 100644
--- a/mdop/agpm/contents-tab-features-agpm30ops.md
+++ b/mdop/agpm/contents-tab-features-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Contents Tab Features
description: Contents Tab Features
-author: mjcaparas
+author: dansimp
ms.assetid: 725f025a-c30a-4d07-add1-4e0ed9a1a5fd
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/contents-tab-features-agpm40.md b/mdop/agpm/contents-tab-features-agpm40.md
index c714922193..6edfb8b2a8 100644
--- a/mdop/agpm/contents-tab-features-agpm40.md
+++ b/mdop/agpm/contents-tab-features-agpm40.md
@@ -1,7 +1,7 @@
---
title: Contents Tab Features
description: Contents Tab Features
-author: mjcaparas
+author: dansimp
ms.assetid: f1f4849d-bf94-47d5-ad81-0eee33abcaca
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/contents-tab.md b/mdop/agpm/contents-tab.md
index 0039020f48..11d7827842 100644
--- a/mdop/agpm/contents-tab.md
+++ b/mdop/agpm/contents-tab.md
@@ -1,7 +1,7 @@
---
title: Contents Tab
description: Contents Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 8a756bc1-3900-4d83-93c4-7ebc4705d956
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/control-a-previously-uncontrolled-gpo.md b/mdop/agpm/control-a-previously-uncontrolled-gpo.md
index 535a5958f2..135e1bfcab 100644
--- a/mdop/agpm/control-a-previously-uncontrolled-gpo.md
+++ b/mdop/agpm/control-a-previously-uncontrolled-gpo.md
@@ -1,7 +1,7 @@
---
title: Control a Previously Uncontrolled GPO
description: Control a Previously Uncontrolled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 452689a9-4e32-4e3b-8208-56353a82bf36
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/control-an-uncontrolled-gpo-agpm30ops.md b/mdop/agpm/control-an-uncontrolled-gpo-agpm30ops.md
index 6b69bcd500..c3ec80fd27 100644
--- a/mdop/agpm/control-an-uncontrolled-gpo-agpm30ops.md
+++ b/mdop/agpm/control-an-uncontrolled-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Control an Uncontrolled GPO
description: Control an Uncontrolled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 603f00f9-1e65-4b2f-902a-e53dafedbd8d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/control-an-uncontrolled-gpo-agpm40.md b/mdop/agpm/control-an-uncontrolled-gpo-agpm40.md
index fa7fb95245..d475f64bd0 100644
--- a/mdop/agpm/control-an-uncontrolled-gpo-agpm40.md
+++ b/mdop/agpm/control-an-uncontrolled-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Control an Uncontrolled GPO
description: Control an Uncontrolled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: dc81545c-8da5-4b6f-b266-f01a82e27c6b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/controlled-gpo-commands-agpm30ops.md b/mdop/agpm/controlled-gpo-commands-agpm30ops.md
index a964df04b5..e7f472be8e 100644
--- a/mdop/agpm/controlled-gpo-commands-agpm30ops.md
+++ b/mdop/agpm/controlled-gpo-commands-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Controlled GPO Commands
description: Controlled GPO Commands
-author: mjcaparas
+author: dansimp
ms.assetid: 82db4772-154a-4a8d-99cd-2c69e1738698
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/controlled-gpo-commands-agpm40.md b/mdop/agpm/controlled-gpo-commands-agpm40.md
index 7f1617be1c..82220a3109 100644
--- a/mdop/agpm/controlled-gpo-commands-agpm40.md
+++ b/mdop/agpm/controlled-gpo-commands-agpm40.md
@@ -1,7 +1,7 @@
---
title: Controlled GPO Commands
description: Controlled GPO Commands
-author: mjcaparas
+author: dansimp
ms.assetid: 370d3db9-4efc-4799-983d-e29ba5f32b07
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/controlled-tab.md b/mdop/agpm/controlled-tab.md
index c17aab7903..91f3106011 100644
--- a/mdop/agpm/controlled-tab.md
+++ b/mdop/agpm/controlled-tab.md
@@ -1,7 +1,7 @@
---
title: Controlled Tab
description: Controlled Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 8995a9e1-ace4-40b7-a47b-e1e9924541ba
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/create-a-new-controlled-gpo-agpm30ops.md b/mdop/agpm/create-a-new-controlled-gpo-agpm30ops.md
index ed19062453..d476d76832 100644
--- a/mdop/agpm/create-a-new-controlled-gpo-agpm30ops.md
+++ b/mdop/agpm/create-a-new-controlled-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Create a New Controlled GPO
description: Create a New Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: f89eaae8-7858-4222-ba3f-a93a9d7ea5a3
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/create-a-new-controlled-gpo-agpm40.md b/mdop/agpm/create-a-new-controlled-gpo-agpm40.md
index 89efc3c447..0331289cbd 100644
--- a/mdop/agpm/create-a-new-controlled-gpo-agpm40.md
+++ b/mdop/agpm/create-a-new-controlled-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Create a New Controlled GPO
description: Create a New Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 5ce760f6-9f05-42b4-b787-7835ab8e324e
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/create-a-new-controlled-gpo.md b/mdop/agpm/create-a-new-controlled-gpo.md
index 614627225b..c8beb4c4a2 100644
--- a/mdop/agpm/create-a-new-controlled-gpo.md
+++ b/mdop/agpm/create-a-new-controlled-gpo.md
@@ -1,7 +1,7 @@
---
title: Create a New Controlled GPO
description: Create a New Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: b43ce0f4-4519-4278-83c4-c7d5163ddd11
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/create-a-template-agpm30ops.md b/mdop/agpm/create-a-template-agpm30ops.md
index 406acb5276..4e0a8ecb46 100644
--- a/mdop/agpm/create-a-template-agpm30ops.md
+++ b/mdop/agpm/create-a-template-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Create a Template
description: Create a Template
-author: mjcaparas
+author: dansimp
ms.assetid: 8208f14a-5c18-43a7-8564-118230398cca
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/create-a-template-agpm40.md b/mdop/agpm/create-a-template-agpm40.md
index c8a1e97a01..16e28ce80a 100644
--- a/mdop/agpm/create-a-template-agpm40.md
+++ b/mdop/agpm/create-a-template-agpm40.md
@@ -1,7 +1,7 @@
---
title: Create a Template
description: Create a Template
-author: mjcaparas
+author: dansimp
ms.assetid: b38423af-7d24-437a-98bc-01f1ae891127
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/create-a-template.md b/mdop/agpm/create-a-template.md
index d0db0eb513..16c9a86ee5 100644
--- a/mdop/agpm/create-a-template.md
+++ b/mdop/agpm/create-a-template.md
@@ -1,7 +1,7 @@
---
title: Create a Template
description: Create a Template
-author: mjcaparas
+author: dansimp
ms.assetid: 6992bd55-4a4f-401f-9815-c468bac598ef
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm30ops.md b/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm30ops.md
index d35b5810d4..c54885f7d7 100644
--- a/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm30ops.md
+++ b/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Creating a Template and Setting a Default Template
description: Creating a Template and Setting a Default Template
-author: mjcaparas
+author: dansimp
ms.assetid: acce0e0f-7e67-479c-9daa-e678fccd7ced
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm40.md b/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm40.md
index a3981ca8a0..c4b3be7551 100644
--- a/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm40.md
+++ b/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm40.md
@@ -1,7 +1,7 @@
---
title: Creating a Template and Setting a Default Template
description: Creating a Template and Setting a Default Template
-author: mjcaparas
+author: dansimp
ms.assetid: ffa72c2a-64eb-4492-8072-c3a66179b546
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/creating-a-template-and-setting-a-default-template.md b/mdop/agpm/creating-a-template-and-setting-a-default-template.md
index 79e1c3682d..3aeb2a2ac7 100644
--- a/mdop/agpm/creating-a-template-and-setting-a-default-template.md
+++ b/mdop/agpm/creating-a-template-and-setting-a-default-template.md
@@ -1,7 +1,7 @@
---
title: Creating a Template and Setting a Default Template
description: Creating a Template and Setting a Default Template
-author: mjcaparas
+author: dansimp
ms.assetid: 8771b4b5-4dea-4be1-a675-f60cfd3ec5dc
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/creating-controlling-or-importing-a-gpo-agpm30ops.md b/mdop/agpm/creating-controlling-or-importing-a-gpo-agpm30ops.md
index 8e9e92e5ac..2d6c3cc9f1 100644
--- a/mdop/agpm/creating-controlling-or-importing-a-gpo-agpm30ops.md
+++ b/mdop/agpm/creating-controlling-or-importing-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Creating, Controlling, or Importing a GPO
description: Creating, Controlling, or Importing a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: ce8b232e-7758-4a6a-9e2f-18967da6cdad
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/creating-controlling-or-importing-a-gpo-approver.md b/mdop/agpm/creating-controlling-or-importing-a-gpo-approver.md
index ba433a553b..5534f1f89a 100644
--- a/mdop/agpm/creating-controlling-or-importing-a-gpo-approver.md
+++ b/mdop/agpm/creating-controlling-or-importing-a-gpo-approver.md
@@ -1,7 +1,7 @@
---
title: Creating, Controlling, or Importing a GPO
description: Creating, Controlling, or Importing a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: f2c8bef5-b654-4864-99d4-9207cfb0a137
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/creating-controlling-or-importing-a-gpo-editor-agpm30ops.md b/mdop/agpm/creating-controlling-or-importing-a-gpo-editor-agpm30ops.md
index 0aee5a400a..d5ac6710c9 100644
--- a/mdop/agpm/creating-controlling-or-importing-a-gpo-editor-agpm30ops.md
+++ b/mdop/agpm/creating-controlling-or-importing-a-gpo-editor-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Creating, Controlling, or Importing a GPO
description: Creating, Controlling, or Importing a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 0cc1b6ee-3335-4d84-9e1c-d1aefabfef51
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/creating-controlling-or-importing-a-gpo-editor.md b/mdop/agpm/creating-controlling-or-importing-a-gpo-editor.md
index 7a228249c6..990725ed87 100644
--- a/mdop/agpm/creating-controlling-or-importing-a-gpo-editor.md
+++ b/mdop/agpm/creating-controlling-or-importing-a-gpo-editor.md
@@ -1,7 +1,7 @@
---
title: Creating, Controlling, or Importing a GPO
description: Creating, Controlling, or Importing a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 5259ce25-f570-4346-9f50-6b051724a998
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/creating-or-controlling-a-gpo-agpm40-app.md b/mdop/agpm/creating-or-controlling-a-gpo-agpm40-app.md
index fc60c82ade..ae19e2af92 100644
--- a/mdop/agpm/creating-or-controlling-a-gpo-agpm40-app.md
+++ b/mdop/agpm/creating-or-controlling-a-gpo-agpm40-app.md
@@ -1,7 +1,7 @@
---
title: Creating or Controlling a GPO
description: Creating or Controlling a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: ca2fa40e-c6e9-4c57-9da1-e5375df4a2fd
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/creating-or-controlling-a-gpo-agpm40-ed.md b/mdop/agpm/creating-or-controlling-a-gpo-agpm40-ed.md
index 119b8134b3..acc64f4c0f 100644
--- a/mdop/agpm/creating-or-controlling-a-gpo-agpm40-ed.md
+++ b/mdop/agpm/creating-or-controlling-a-gpo-agpm40-ed.md
@@ -1,7 +1,7 @@
---
title: Creating or Controlling a GPO
description: Creating or Controlling a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 807f3b3f-ad3d-4851-9772-7f54a065632a
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-access-to-a-gpo.md b/mdop/agpm/delegate-access-to-a-gpo.md
index d303c1e2f1..42df98f0d2 100644
--- a/mdop/agpm/delegate-access-to-a-gpo.md
+++ b/mdop/agpm/delegate-access-to-a-gpo.md
@@ -1,7 +1,7 @@
---
title: Delegate Access to a GPO
description: Delegate Access to a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: f1d6bb6c-d5bf-4080-a6cb-32774689f804
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm30ops.md b/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm30ops.md
index 3c102e5273..a83688d311 100644
--- a/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm30ops.md
+++ b/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Delegate Access to an Individual GPO in the Archive
description: Delegate Access to an Individual GPO in the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: 7b37b188-2b6b-4e52-be97-8ef899e9893b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm40.md b/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm40.md
index f5124591cc..2f79f15624 100644
--- a/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm40.md
+++ b/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm40.md
@@ -1,7 +1,7 @@
---
title: Delegate Access to an Individual GPO in the Archive
description: Delegate Access to an Individual GPO in the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: 284d2aa2-7c10-4ffa-8978-bbe30867c1c1
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-access-to-an-individual-gpo.md b/mdop/agpm/delegate-access-to-an-individual-gpo.md
index 48a3a17674..3eca548ecb 100644
--- a/mdop/agpm/delegate-access-to-an-individual-gpo.md
+++ b/mdop/agpm/delegate-access-to-an-individual-gpo.md
@@ -1,7 +1,7 @@
---
title: Delegate Access to an Individual GPO
description: Delegate Access to an Individual GPO
-author: mjcaparas
+author: dansimp
ms.assetid: b2a7d550-14bf-4b41-b6e4-2cc091eedd2d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-access-to-the-production-environment-agpm30ops.md b/mdop/agpm/delegate-access-to-the-production-environment-agpm30ops.md
index 5465a92076..83237183a6 100644
--- a/mdop/agpm/delegate-access-to-the-production-environment-agpm30ops.md
+++ b/mdop/agpm/delegate-access-to-the-production-environment-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Delegate Access to the Production Environment
description: Delegate Access to the Production Environment
-author: mjcaparas
+author: dansimp
ms.assetid: c1ebae2e-909b-4e64-b368-b7d3cc67b1eb
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-access-to-the-production-environment-agpm40.md b/mdop/agpm/delegate-access-to-the-production-environment-agpm40.md
index 499f2dda22..a56dd205f1 100644
--- a/mdop/agpm/delegate-access-to-the-production-environment-agpm40.md
+++ b/mdop/agpm/delegate-access-to-the-production-environment-agpm40.md
@@ -1,7 +1,7 @@
---
title: Delegate Access to the Production Environment
description: Delegate Access to the Production Environment
-author: mjcaparas
+author: dansimp
ms.assetid: 4c670581-8c47-41ea-80eb-02846ff1ec1f
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm30ops.md b/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm30ops.md
index 3d5ef495b1..47b815dc6f 100644
--- a/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm30ops.md
+++ b/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Delegate Domain-Level Access to the Archive
description: Delegate Domain-Level Access to the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: d232069e-71d5-4b4d-b22e-bef11de1cfd4
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm40.md b/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm40.md
index f1aa01ad7e..052f1cd78d 100644
--- a/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm40.md
+++ b/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm40.md
@@ -1,7 +1,7 @@
---
title: Delegate Domain-Level Access to the Archive
description: Delegate Domain-Level Access to the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: 11ca1d40-4b5c-496e-8922-d01412717858
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-domain-level-access.md b/mdop/agpm/delegate-domain-level-access.md
index da327eae2f..8b14fc2952 100644
--- a/mdop/agpm/delegate-domain-level-access.md
+++ b/mdop/agpm/delegate-domain-level-access.md
@@ -1,7 +1,7 @@
---
title: Delegate Domain-Level Access
description: Delegate Domain-Level Access
-author: mjcaparas
+author: dansimp
ms.assetid: 64c8e773-38cc-4991-9ed2-5a801094d06e
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm30ops.md b/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm30ops.md
index 2a17a1e42b..1a909c75dd 100644
--- a/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm30ops.md
+++ b/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Delegate Management of a Controlled GPO
description: Delegate Management of a Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 509b02e7-ce0b-4919-b58a-c3a33051152e
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm40.md b/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm40.md
index 19b09da4c5..a6e9a29c85 100644
--- a/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm40.md
+++ b/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Delegate Management of a Controlled GPO
description: Delegate Management of a Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 96b4bfb3-5657-4267-8326-85d7a0db87ce
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delete-a-controlled-gpo-agpm30ops.md b/mdop/agpm/delete-a-controlled-gpo-agpm30ops.md
index 82004ed62c..0616b6addc 100644
--- a/mdop/agpm/delete-a-controlled-gpo-agpm30ops.md
+++ b/mdop/agpm/delete-a-controlled-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Delete a Controlled GPO
description: Delete a Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: f51c1737-c116-4faf-a6f6-c72303f60a3b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delete-a-controlled-gpo-agpm40.md b/mdop/agpm/delete-a-controlled-gpo-agpm40.md
index 4b1f19997b..a57e046369 100644
--- a/mdop/agpm/delete-a-controlled-gpo-agpm40.md
+++ b/mdop/agpm/delete-a-controlled-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Delete a Controlled GPO
description: Delete a Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 2a461018-aa0b-4ae3-b079-efc554ca4a3d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delete-a-gpo-approver.md b/mdop/agpm/delete-a-gpo-approver.md
index fee036a028..c5611d8396 100644
--- a/mdop/agpm/delete-a-gpo-approver.md
+++ b/mdop/agpm/delete-a-gpo-approver.md
@@ -1,7 +1,7 @@
---
title: Delete a GPO
description: Delete a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 85fca371-5707-49c1-aa51-813fc3a58dfc
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/delete-a-gpo-editor.md b/mdop/agpm/delete-a-gpo-editor.md
index 5bc745374a..3990f6289a 100644
--- a/mdop/agpm/delete-a-gpo-editor.md
+++ b/mdop/agpm/delete-a-gpo-editor.md
@@ -1,7 +1,7 @@
---
title: Delete a GPO
description: Delete a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 66be3dde-653e-4c25-8cb7-00e7090c8d31
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/deleting-or-restoring-a-gpo-agpm30ops.md b/mdop/agpm/deleting-or-restoring-a-gpo-agpm30ops.md
index d4ebed245e..5542d0c0d0 100644
--- a/mdop/agpm/deleting-or-restoring-a-gpo-agpm30ops.md
+++ b/mdop/agpm/deleting-or-restoring-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Deleting or Restoring a GPO
description: Deleting or Restoring a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: ee4a467a-187a-48e3-8f0d-548de0606a56
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/deleting-or-restoring-a-gpo-agpm40.md b/mdop/agpm/deleting-or-restoring-a-gpo-agpm40.md
index e0bc537cc9..f753b56232 100644
--- a/mdop/agpm/deleting-or-restoring-a-gpo-agpm40.md
+++ b/mdop/agpm/deleting-or-restoring-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Deleting or Restoring a GPO
description: Deleting or Restoring a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: d4f92f4d-eba7-4e6e-b166-13670864d298
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/deleting-restoring-or-destroying-a-gpo-agpm30ops.md b/mdop/agpm/deleting-restoring-or-destroying-a-gpo-agpm30ops.md
index a27d832f3f..1b8e2fa12c 100644
--- a/mdop/agpm/deleting-restoring-or-destroying-a-gpo-agpm30ops.md
+++ b/mdop/agpm/deleting-restoring-or-destroying-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Deleting, Restoring, or Destroying a GPO
description: Deleting, Restoring, or Destroying a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 3e1b862e-007a-4b60-900f-0489069f5c75
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/deleting-restoring-or-destroying-a-gpo-agpm40.md b/mdop/agpm/deleting-restoring-or-destroying-a-gpo-agpm40.md
index e9a7b13f30..b97ab849ad 100644
--- a/mdop/agpm/deleting-restoring-or-destroying-a-gpo-agpm40.md
+++ b/mdop/agpm/deleting-restoring-or-destroying-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Deleting, Restoring, or Destroying a GPO
description: Deleting, Restoring, or Destroying a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 3af6c396-61c8-4b32-9fd8-28e9f15e575c
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/deleting-restoring-or-destroying-a-gpo.md b/mdop/agpm/deleting-restoring-or-destroying-a-gpo.md
index 96207fe50f..b68db7b2ea 100644
--- a/mdop/agpm/deleting-restoring-or-destroying-a-gpo.md
+++ b/mdop/agpm/deleting-restoring-or-destroying-a-gpo.md
@@ -1,7 +1,7 @@
---
title: Deleting, Restoring, or Destroying a GPO
description: Deleting, Restoring, or Destroying a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 089c68e7-c1a5-418a-8776-cf23960f10c4
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/deploy-a-gpo-agpm30ops.md b/mdop/agpm/deploy-a-gpo-agpm30ops.md
index 15b54d327d..776112e102 100644
--- a/mdop/agpm/deploy-a-gpo-agpm30ops.md
+++ b/mdop/agpm/deploy-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Deploy a GPO
description: Deploy a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 3767b722-db43-40f1-a714-bb8e38bcaa10
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/deploy-a-gpo-agpm40.md b/mdop/agpm/deploy-a-gpo-agpm40.md
index d24c1562ea..dd8273b4fc 100644
--- a/mdop/agpm/deploy-a-gpo-agpm40.md
+++ b/mdop/agpm/deploy-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Deploy a GPO
description: Deploy a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: a6febeaa-144b-4c02-99af-d972f0f2b544
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/deploy-a-gpo.md b/mdop/agpm/deploy-a-gpo.md
index 6cccb83b8a..cddc1433c8 100644
--- a/mdop/agpm/deploy-a-gpo.md
+++ b/mdop/agpm/deploy-a-gpo.md
@@ -1,7 +1,7 @@
---
title: Deploy a GPO
description: Deploy a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: a0a3f292-e3ab-46ae-a0fd-d7b2b4ad8883
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/destroy-a-gpo-agpm30ops.md b/mdop/agpm/destroy-a-gpo-agpm30ops.md
index dd853317de..39d4b138ce 100644
--- a/mdop/agpm/destroy-a-gpo-agpm30ops.md
+++ b/mdop/agpm/destroy-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Destroy a GPO
description: Destroy a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: bfabd71a-47f3-462e-b86f-5f15762b9e28
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/destroy-a-gpo-agpm40.md b/mdop/agpm/destroy-a-gpo-agpm40.md
index 28f76ae7c9..8fe48c6000 100644
--- a/mdop/agpm/destroy-a-gpo-agpm40.md
+++ b/mdop/agpm/destroy-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Destroy a GPO
description: Destroy a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 09bce8c4-f75b-4633-b80b-d894bbec95c9
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/destroy-a-gpo.md b/mdop/agpm/destroy-a-gpo.md
index 4c21c398e6..7ba2a6f165 100644
--- a/mdop/agpm/destroy-a-gpo.md
+++ b/mdop/agpm/destroy-a-gpo.md
@@ -1,7 +1,7 @@
---
title: Destroy a GPO
description: Destroy a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: d74941a3-beef-46cd-a4ca-80a324dcfadf
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/domain-delegation-tab-agpm30ops.md b/mdop/agpm/domain-delegation-tab-agpm30ops.md
index aa5f709f13..e6ce2ce32d 100644
--- a/mdop/agpm/domain-delegation-tab-agpm30ops.md
+++ b/mdop/agpm/domain-delegation-tab-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Domain Delegation Tab
description: Domain Delegation Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 523cdf39-f4b8-4d20-a917-3485756658ce
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/domain-delegation-tab-agpm40.md b/mdop/agpm/domain-delegation-tab-agpm40.md
index 5d2f696910..884dfe968b 100644
--- a/mdop/agpm/domain-delegation-tab-agpm40.md
+++ b/mdop/agpm/domain-delegation-tab-agpm40.md
@@ -1,7 +1,7 @@
---
title: Domain Delegation Tab
description: Domain Delegation Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 5be5841e-92fb-4af6-aa68-0ae50f8d5141
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/domain-delegation-tab.md b/mdop/agpm/domain-delegation-tab.md
index 476c26e436..27847ba556 100644
--- a/mdop/agpm/domain-delegation-tab.md
+++ b/mdop/agpm/domain-delegation-tab.md
@@ -1,7 +1,7 @@
---
title: Domain Delegation Tab
description: Domain Delegation Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 15a9bfff-e25b-4b62-9ebc-521a5f4eae96
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/edit-a-gpo-offline-agpm30ops.md b/mdop/agpm/edit-a-gpo-offline-agpm30ops.md
index 5518d46244..9d85b7de64 100644
--- a/mdop/agpm/edit-a-gpo-offline-agpm30ops.md
+++ b/mdop/agpm/edit-a-gpo-offline-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Edit a GPO Offline
description: Edit a GPO Offline
-author: mjcaparas
+author: dansimp
ms.assetid: 51677d8a-6209-41b5-82ed-4f3be817abc0
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/edit-a-gpo-offline-agpm40.md b/mdop/agpm/edit-a-gpo-offline-agpm40.md
index 4f311a1cc3..86cd27fe82 100644
--- a/mdop/agpm/edit-a-gpo-offline-agpm40.md
+++ b/mdop/agpm/edit-a-gpo-offline-agpm40.md
@@ -1,7 +1,7 @@
---
title: Edit a GPO Offline
description: Edit a GPO Offline
-author: mjcaparas
+author: dansimp
ms.assetid: 9c75eb3c-d4d5-41e0-b65e-8b4464a42cd9
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/edit-a-gpo-offline.md b/mdop/agpm/edit-a-gpo-offline.md
index 6ea16ebc61..f10b9771de 100644
--- a/mdop/agpm/edit-a-gpo-offline.md
+++ b/mdop/agpm/edit-a-gpo-offline.md
@@ -1,7 +1,7 @@
---
title: Edit a GPO Offline
description: Edit a GPO Offline
-author: mjcaparas
+author: dansimp
ms.assetid: 4a148952-9fe9-4ec4-8df1-b25e37c97a54
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/editing-a-gpo-agpm30ops.md b/mdop/agpm/editing-a-gpo-agpm30ops.md
index 36bd0a1166..ff27db8319 100644
--- a/mdop/agpm/editing-a-gpo-agpm30ops.md
+++ b/mdop/agpm/editing-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Editing a GPO
description: Editing a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 3024051a-ff33-46d0-9c3e-68ebae7f6b60
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/editing-a-gpo-agpm40.md b/mdop/agpm/editing-a-gpo-agpm40.md
index 77dcc4e9cc..d1f6bbfeae 100644
--- a/mdop/agpm/editing-a-gpo-agpm40.md
+++ b/mdop/agpm/editing-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Editing a GPO
description: Editing a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: ef42eefe-7705-46b2-954d-18966335cbbf
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/editing-a-gpo.md b/mdop/agpm/editing-a-gpo.md
index c4bcdd473c..860e142fc9 100644
--- a/mdop/agpm/editing-a-gpo.md
+++ b/mdop/agpm/editing-a-gpo.md
@@ -1,7 +1,7 @@
---
title: Editing a GPO
description: Editing a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: ec77d3bb-8a64-4d8e-9c28-87763de02ec0
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/export-a-gpo-to-a-file.md b/mdop/agpm/export-a-gpo-to-a-file.md
index d75d40eada..6f8016e934 100644
--- a/mdop/agpm/export-a-gpo-to-a-file.md
+++ b/mdop/agpm/export-a-gpo-to-a-file.md
@@ -1,7 +1,7 @@
---
title: Export a GPO to a File
description: Export a GPO to a File
-author: mjcaparas
+author: dansimp
ms.assetid: 0d01b1f7-a6a4-4d0d-9aa7-2d6f1ae93d9d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/feature-visibility-settings-agpm30ops.md b/mdop/agpm/feature-visibility-settings-agpm30ops.md
index d3049f4b3f..923dbcddcb 100644
--- a/mdop/agpm/feature-visibility-settings-agpm30ops.md
+++ b/mdop/agpm/feature-visibility-settings-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Feature Visibility Settings
description: Feature Visibility Settings
-author: mjcaparas
+author: dansimp
ms.assetid: 6a844478-a6b0-490d-923f-5a6f82467831
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/feature-visibility-settings-agpm40.md b/mdop/agpm/feature-visibility-settings-agpm40.md
index e30c603bc7..ea02966e81 100644
--- a/mdop/agpm/feature-visibility-settings-agpm40.md
+++ b/mdop/agpm/feature-visibility-settings-agpm40.md
@@ -1,7 +1,7 @@
---
title: Feature Visibility Settings
description: Feature Visibility Settings
-author: mjcaparas
+author: dansimp
ms.assetid: d3c0b02a-b943-4001-8b9c-dfac8fe58789
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/feature-visibility-settings.md b/mdop/agpm/feature-visibility-settings.md
index 1cb1b3fc24..4b5bdb06b8 100644
--- a/mdop/agpm/feature-visibility-settings.md
+++ b/mdop/agpm/feature-visibility-settings.md
@@ -1,7 +1,7 @@
---
title: Feature Visibility Settings
description: Feature Visibility Settings
-author: mjcaparas
+author: dansimp
ms.assetid: 9db2ba03-fb75-4f95-9138-ec89b9fc8d01
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/history-window-agpm30ops.md b/mdop/agpm/history-window-agpm30ops.md
index c3295c3095..890e223a94 100644
--- a/mdop/agpm/history-window-agpm30ops.md
+++ b/mdop/agpm/history-window-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: History Window
description: History Window
-author: mjcaparas
+author: dansimp
ms.assetid: 114f50a4-508d-4589-b006-6cd05cffe6b7
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/history-window-agpm40.md b/mdop/agpm/history-window-agpm40.md
index 7603d75dd5..0100174bae 100644
--- a/mdop/agpm/history-window-agpm40.md
+++ b/mdop/agpm/history-window-agpm40.md
@@ -1,7 +1,7 @@
---
title: History Window
description: History Window
-author: mjcaparas
+author: dansimp
ms.assetid: 5bea62e7-d267-40b2-a66d-fb1be7373a1c
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/history-window.md b/mdop/agpm/history-window.md
index 0e5e9a6687..15710eda36 100644
--- a/mdop/agpm/history-window.md
+++ b/mdop/agpm/history-window.md
@@ -1,7 +1,7 @@
---
title: History Window
description: History Window
-author: mjcaparas
+author: dansimp
ms.assetid: f11f9ad9-bffe-4c56-8c46-fe9c0a8e55c1
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates-agpm30ops.md b/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates-agpm30ops.md
index 370ce5130b..d1630c746f 100644
--- a/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates-agpm30ops.md
+++ b/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Identify Differences Between GPOs, GPO Versions, or Templates
description: Identify Differences Between GPOs, GPO Versions, or Templates
-author: mjcaparas
+author: dansimp
ms.assetid: e391fa91-3956-4150-9d43-900cfc88d543
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates-agpm40.md b/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates-agpm40.md
index 57a7719f21..38b81a26ac 100644
--- a/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates-agpm40.md
+++ b/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates-agpm40.md
@@ -1,7 +1,7 @@
---
title: Identify Differences Between GPOs, GPO Versions, or Templates
description: Identify Differences Between GPOs, GPO Versions, or Templates
-author: mjcaparas
+author: dansimp
ms.assetid: 3f03c368-162b-450f-be6c-2807c3e8d741
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates.md b/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates.md
index 31a0ed88ed..33485698c3 100644
--- a/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates.md
+++ b/mdop/agpm/identify-differences-between-gpos-gpo-versions-or-templates.md
@@ -1,7 +1,7 @@
---
title: Identify Differences Between GPOs, GPO Versions, or Templates
description: Identify Differences Between GPOs, GPO Versions, or Templates
-author: mjcaparas
+author: dansimp
ms.assetid: 6320afc4-af81-47e8-9f4c-463ff99d5a53
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/import-a-gpo-from-a-file-agpmadmin.md b/mdop/agpm/import-a-gpo-from-a-file-agpmadmin.md
index 259967c12d..d4b755d702 100644
--- a/mdop/agpm/import-a-gpo-from-a-file-agpmadmin.md
+++ b/mdop/agpm/import-a-gpo-from-a-file-agpmadmin.md
@@ -1,7 +1,7 @@
---
title: Import a GPO from a File
description: Import a GPO from a File
-author: mjcaparas
+author: dansimp
ms.assetid: 2cbcda72-4de3-47ad-aaf8-4fc7341d5a00
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/import-a-gpo-from-a-file-ed.md b/mdop/agpm/import-a-gpo-from-a-file-ed.md
index 3019b67029..697dafa9de 100644
--- a/mdop/agpm/import-a-gpo-from-a-file-ed.md
+++ b/mdop/agpm/import-a-gpo-from-a-file-ed.md
@@ -1,7 +1,7 @@
---
title: Import a GPO from a File
description: Import a GPO from a File
-author: mjcaparas
+author: dansimp
ms.assetid: 6e901a52-1101-4fed-9f90-3819b573b378
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/import-a-gpo-from-production-agpm30ops.md b/mdop/agpm/import-a-gpo-from-production-agpm30ops.md
index 06214d174c..5cadc7906b 100644
--- a/mdop/agpm/import-a-gpo-from-production-agpm30ops.md
+++ b/mdop/agpm/import-a-gpo-from-production-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Import a GPO from Production
description: Import a GPO from Production
-author: mjcaparas
+author: dansimp
ms.assetid: 35c2a682-ece8-4577-a083-7e3e9facfd13
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/import-a-gpo-from-production-agpm40-app.md b/mdop/agpm/import-a-gpo-from-production-agpm40-app.md
index af00e3582a..ef0343b66b 100644
--- a/mdop/agpm/import-a-gpo-from-production-agpm40-app.md
+++ b/mdop/agpm/import-a-gpo-from-production-agpm40-app.md
@@ -1,7 +1,7 @@
---
title: Import a GPO from Production
description: Import a GPO from Production
-author: mjcaparas
+author: dansimp
ms.assetid: c5b2f40d-1dc7-4dbf-b8b3-4d97ad73e1e5
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/import-a-gpo-from-production-agpm40-ed.md b/mdop/agpm/import-a-gpo-from-production-agpm40-ed.md
index a10d461d9e..521e17cd6f 100644
--- a/mdop/agpm/import-a-gpo-from-production-agpm40-ed.md
+++ b/mdop/agpm/import-a-gpo-from-production-agpm40-ed.md
@@ -1,7 +1,7 @@
---
title: Import a GPO from Production
description: Import a GPO from Production
-author: mjcaparas
+author: dansimp
ms.assetid: ad14203a-2e6a-41d4-a05e-4508c80045fd
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/import-a-gpo-from-production-approver.md b/mdop/agpm/import-a-gpo-from-production-approver.md
index 6895bd2248..b3b6509ac6 100644
--- a/mdop/agpm/import-a-gpo-from-production-approver.md
+++ b/mdop/agpm/import-a-gpo-from-production-approver.md
@@ -1,7 +1,7 @@
---
title: Import a GPO from Production
description: Import a GPO from Production
-author: mjcaparas
+author: dansimp
ms.assetid: 071270fa-1890-40ce-ab89-ce070a54aa59
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/import-a-gpo-from-production-editor-agpm30ops.md b/mdop/agpm/import-a-gpo-from-production-editor-agpm30ops.md
index cc32d29e0f..6233511c16 100644
--- a/mdop/agpm/import-a-gpo-from-production-editor-agpm30ops.md
+++ b/mdop/agpm/import-a-gpo-from-production-editor-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Import a GPO from Production
description: Import a GPO from Production
-author: mjcaparas
+author: dansimp
ms.assetid: ad90f13e-e73c-400f-b86f-c12f2e75d19d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/import-a-gpo-from-production-editor.md b/mdop/agpm/import-a-gpo-from-production-editor.md
index 3ee29adf06..a67b4eb887 100644
--- a/mdop/agpm/import-a-gpo-from-production-editor.md
+++ b/mdop/agpm/import-a-gpo-from-production-editor.md
@@ -1,7 +1,7 @@
---
title: Import a GPO from Production
description: Import a GPO from Production
-author: mjcaparas
+author: dansimp
ms.assetid: ffa02b2a-2a43-4fc0-a06e-7d4b59022cc3
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md
index 324327c269..3832e088c4 100644
--- a/mdop/agpm/index.md
+++ b/mdop/agpm/index.md
@@ -1,7 +1,7 @@
---
title: Advanced Group Policy Management
description: Advanced Group Policy Management
-author: jamiejdt
+author: dansimp
ms.assetid: 493ca3c3-c3d6-4bb1-9430-dc1e43c86bb0
ms.pagetype: mdop
ms.mktglfcycl: manage
diff --git a/mdop/agpm/label-the-current-version-of-a-gpo-agpm30ops.md b/mdop/agpm/label-the-current-version-of-a-gpo-agpm30ops.md
index 1aa5500034..2a32a77423 100644
--- a/mdop/agpm/label-the-current-version-of-a-gpo-agpm30ops.md
+++ b/mdop/agpm/label-the-current-version-of-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Label the Current Version of a GPO
description: Label the Current Version of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 3845211a-0bc9-4875-9906-cb758c443825
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/label-the-current-version-of-a-gpo-agpm40.md b/mdop/agpm/label-the-current-version-of-a-gpo-agpm40.md
index 4a8c652822..8e2ca70456 100644
--- a/mdop/agpm/label-the-current-version-of-a-gpo-agpm40.md
+++ b/mdop/agpm/label-the-current-version-of-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Label the Current Version of a GPO
description: Label the Current Version of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: cadc8769-21da-44b0-8122-6cafdb448913
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/label-the-current-version-of-a-gpo.md b/mdop/agpm/label-the-current-version-of-a-gpo.md
index 23520638fb..518cff6f2c 100644
--- a/mdop/agpm/label-the-current-version-of-a-gpo.md
+++ b/mdop/agpm/label-the-current-version-of-a-gpo.md
@@ -1,7 +1,7 @@
---
title: Label the Current Version of a GPO
description: Label the Current Version of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 5e4e50f8-e4a8-4bda-aac4-1569d5fbd6a7
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/limit-the-gpo-versions-stored-agpm30ops.md b/mdop/agpm/limit-the-gpo-versions-stored-agpm30ops.md
index d119a83fa7..c74a38c572 100644
--- a/mdop/agpm/limit-the-gpo-versions-stored-agpm30ops.md
+++ b/mdop/agpm/limit-the-gpo-versions-stored-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Limit the GPO Versions Stored
description: Limit the GPO Versions Stored
-author: mjcaparas
+author: dansimp
ms.assetid: da14edc5-0c36-4c54-b122-861c86b99eb1
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/limit-the-gpo-versions-stored-agpm40.md b/mdop/agpm/limit-the-gpo-versions-stored-agpm40.md
index 2570da4136..9ca2d0acda 100644
--- a/mdop/agpm/limit-the-gpo-versions-stored-agpm40.md
+++ b/mdop/agpm/limit-the-gpo-versions-stored-agpm40.md
@@ -1,7 +1,7 @@
---
title: Limit the GPO Versions Stored
description: Limit the GPO Versions Stored
-author: mjcaparas
+author: dansimp
ms.assetid: d802c7b6-f303-4b23-aefd-f19f1300b0ff
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/logging-and-tracing-settings-agpm30ops.md b/mdop/agpm/logging-and-tracing-settings-agpm30ops.md
index 327edf7784..adb810c271 100644
--- a/mdop/agpm/logging-and-tracing-settings-agpm30ops.md
+++ b/mdop/agpm/logging-and-tracing-settings-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Logging and Tracing Settings
description: Logging and Tracing Settings
-author: mjcaparas
+author: dansimp
ms.assetid: 858b6fbf-65b4-42fa-95a9-69b04e5734d7
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/logging-and-tracing-settings-agpm40.md b/mdop/agpm/logging-and-tracing-settings-agpm40.md
index 3e42a4a154..2c42860152 100644
--- a/mdop/agpm/logging-and-tracing-settings-agpm40.md
+++ b/mdop/agpm/logging-and-tracing-settings-agpm40.md
@@ -1,7 +1,7 @@
---
title: Logging and Tracing Settings
description: Logging and Tracing Settings
-author: mjcaparas
+author: dansimp
ms.assetid: 66d03306-80d8-4132-bf71-2827157b1fc9
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/logging-and-tracing-settings.md b/mdop/agpm/logging-and-tracing-settings.md
index ec78ccc511..67460cfdb5 100644
--- a/mdop/agpm/logging-and-tracing-settings.md
+++ b/mdop/agpm/logging-and-tracing-settings.md
@@ -1,7 +1,7 @@
---
title: Logging and Tracing Settings
description: Logging and Tracing Settings
-author: mjcaparas
+author: dansimp
ms.assetid: db6b43c7-fdde-4d11-b5ab-a81346e56940
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/managing-the-agpm-service-agpm30ops.md b/mdop/agpm/managing-the-agpm-service-agpm30ops.md
index 9896b4a887..3b9da4b940 100644
--- a/mdop/agpm/managing-the-agpm-service-agpm30ops.md
+++ b/mdop/agpm/managing-the-agpm-service-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Managing the AGPM Service
description: Managing the AGPM Service
-author: mjcaparas
+author: dansimp
ms.assetid: a522b1f1-c57b-43aa-9d75-acc6f9bedbf9
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/managing-the-agpm-service-agpm40.md b/mdop/agpm/managing-the-agpm-service-agpm40.md
index 96280adf4b..76fedcb48b 100644
--- a/mdop/agpm/managing-the-agpm-service-agpm40.md
+++ b/mdop/agpm/managing-the-agpm-service-agpm40.md
@@ -1,7 +1,7 @@
---
title: Managing the AGPM Service
description: Managing the AGPM Service
-author: mjcaparas
+author: dansimp
ms.assetid: 48ca02aa-6acf-403b-afd4-66ae8a953246
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/managing-the-agpm-service.md b/mdop/agpm/managing-the-agpm-service.md
index 174c061105..da8f07c50c 100644
--- a/mdop/agpm/managing-the-agpm-service.md
+++ b/mdop/agpm/managing-the-agpm-service.md
@@ -1,7 +1,7 @@
---
title: Managing the AGPM Service
description: Managing the AGPM Service
-author: mjcaparas
+author: dansimp
ms.assetid: 331f64d2-1236-4711-81b4-1b92f019bfa5
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/managing-the-archive-agpm40.md b/mdop/agpm/managing-the-archive-agpm40.md
index e22bed1a2d..39f7a9a28e 100644
--- a/mdop/agpm/managing-the-archive-agpm40.md
+++ b/mdop/agpm/managing-the-archive-agpm40.md
@@ -1,7 +1,7 @@
---
title: Managing the Archive
description: Managing the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: b11a3d71-74ea-4dd7-b243-6f2880b7af2d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/managing-the-archive.md b/mdop/agpm/managing-the-archive.md
index ba25337775..6b1a2d21c5 100644
--- a/mdop/agpm/managing-the-archive.md
+++ b/mdop/agpm/managing-the-archive.md
@@ -1,7 +1,7 @@
---
title: Managing the Archive
description: Managing the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: 7c7654e9-ab0e-4531-8ef7-ae77ef391620
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/modify-the-agpm-service-account.md b/mdop/agpm/modify-the-agpm-service-account.md
index 21bd9e501c..780d107283 100644
--- a/mdop/agpm/modify-the-agpm-service-account.md
+++ b/mdop/agpm/modify-the-agpm-service-account.md
@@ -1,7 +1,7 @@
---
title: Modify the AGPM Service Account
description: Modify the AGPM Service Account
-author: mjcaparas
+author: dansimp
ms.assetid: 0d8d8c7b-f299-4fee-8414-406492156942
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/modify-the-agpm-service-agpm30ops.md b/mdop/agpm/modify-the-agpm-service-agpm30ops.md
index ce08a4d000..8834c5eb34 100644
--- a/mdop/agpm/modify-the-agpm-service-agpm30ops.md
+++ b/mdop/agpm/modify-the-agpm-service-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Modify the AGPM Service
description: Modify the AGPM Service
-author: mjcaparas
+author: dansimp
ms.assetid: 3485f85f-59d1-48dc-8748-36826214dcb1
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/modify-the-agpm-service-agpm40.md b/mdop/agpm/modify-the-agpm-service-agpm40.md
index 20ec5c3a65..1fdf5b8ecb 100644
--- a/mdop/agpm/modify-the-agpm-service-agpm40.md
+++ b/mdop/agpm/modify-the-agpm-service-agpm40.md
@@ -1,7 +1,7 @@
---
title: Modify the AGPM Service
description: Modify the AGPM Service
-author: mjcaparas
+author: dansimp
ms.assetid: 3239d088-bb86-4ec4-bc56-dbe8f1c710f5
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/modify-the-archive-path.md b/mdop/agpm/modify-the-archive-path.md
index 0e52f280d7..ea4a9c81c7 100644
--- a/mdop/agpm/modify-the-archive-path.md
+++ b/mdop/agpm/modify-the-archive-path.md
@@ -1,7 +1,7 @@
---
title: Modify the Archive Path
description: Modify the Archive Path
-author: mjcaparas
+author: dansimp
ms.assetid: 6d90daf9-58db-4166-b5b3-e84bb261164a
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/modify-the-port-on-which-the-agpm-service-listens.md b/mdop/agpm/modify-the-port-on-which-the-agpm-service-listens.md
index 6ad27ab0b6..420514276e 100644
--- a/mdop/agpm/modify-the-port-on-which-the-agpm-service-listens.md
+++ b/mdop/agpm/modify-the-port-on-which-the-agpm-service-listens.md
@@ -1,7 +1,7 @@
---
title: Modify the Port on Which the AGPM Service Listens
description: Modify the Port on Which the AGPM Service Listens
-author: mjcaparas
+author: dansimp
ms.assetid: a82c6873-e916-4a04-b263-aa612cd6956b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/move-the-agpm-server-and-the-archive-agpm40.md b/mdop/agpm/move-the-agpm-server-and-the-archive-agpm40.md
index 027abbaaa7..696cc928a3 100644
--- a/mdop/agpm/move-the-agpm-server-and-the-archive-agpm40.md
+++ b/mdop/agpm/move-the-agpm-server-and-the-archive-agpm40.md
@@ -1,7 +1,7 @@
---
title: Move the AGPM Server and the Archive
description: Move the AGPM Server and the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: 9ec48d3a-c293-45f0-8939-32ccdc062303
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/move-the-agpm-server-and-the-archive.md b/mdop/agpm/move-the-agpm-server-and-the-archive.md
index 93f0d42c02..29baec8da0 100644
--- a/mdop/agpm/move-the-agpm-server-and-the-archive.md
+++ b/mdop/agpm/move-the-agpm-server-and-the-archive.md
@@ -1,7 +1,7 @@
---
title: Move the AGPM Server and the Archive
description: Move the AGPM Server and the Archive
-author: mjcaparas
+author: dansimp
ms.assetid: 13cb83c4-bb42-4e81-8660-5b7540f473d8
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-25.md b/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-25.md
index 464ddc37b5..c0c1b78cb0 100644
--- a/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-25.md
+++ b/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-25.md
@@ -1,7 +1,7 @@
---
title: Operations Guide for Microsoft Advanced Group Policy Management 2.5
description: Operations Guide for Microsoft Advanced Group Policy Management 2.5
-author: mjcaparas
+author: dansimp
ms.assetid: 005f0bb5-789f-42a9-bcaf-7e8c31a8df66
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-30-agpm30ops.md b/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-30-agpm30ops.md
index eaa5a661af..77dfd7402a 100644
--- a/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-30-agpm30ops.md
+++ b/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-30-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Operations Guide for Microsoft Advanced Group Policy Management 3.0
description: Operations Guide for Microsoft Advanced Group Policy Management 3.0
-author: mjcaparas
+author: dansimp
ms.assetid: aaefe6d1-a9e5-43eb-b4d8-85880798cb8b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-40.md
index 7243627a33..e6c33c6490 100644
--- a/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-40.md
+++ b/mdop/agpm/operations-guide-for-microsoft-advanced-group-policy-management-40.md
@@ -1,7 +1,7 @@
---
title: Operations Guide for Microsoft Advanced Group Policy Management 4.0
description: Operations Guide for Microsoft Advanced Group Policy Management 4.0
-author: mjcaparas
+author: dansimp
ms.assetid: 0bafeba3-20a9-4360-be5d-03f786df11ee
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/other-enhancements-to-the-gpmc.md b/mdop/agpm/other-enhancements-to-the-gpmc.md
index d68a942bcd..fdf7e3ab2f 100644
--- a/mdop/agpm/other-enhancements-to-the-gpmc.md
+++ b/mdop/agpm/other-enhancements-to-the-gpmc.md
@@ -1,7 +1,7 @@
---
title: Other Enhancements to the GPMC
description: Other Enhancements to the GPMC
-author: mjcaparas
+author: dansimp
ms.assetid: ef344101-17e1-4e06-9dc8-2f20ca796774
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/overview-of-advanced-group-policy-management-agpm30ops.md b/mdop/agpm/overview-of-advanced-group-policy-management-agpm30ops.md
index e14a1f4b10..ae01c964e7 100644
--- a/mdop/agpm/overview-of-advanced-group-policy-management-agpm30ops.md
+++ b/mdop/agpm/overview-of-advanced-group-policy-management-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Overview of Advanced Group Policy Management
description: Overview of Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: 3a8d1e58-12b9-42bd-898f-6d57514dfbb9
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/overview-of-advanced-group-policy-management-agpm40.md b/mdop/agpm/overview-of-advanced-group-policy-management-agpm40.md
index 4d4f47e6ad..67111dde93 100644
--- a/mdop/agpm/overview-of-advanced-group-policy-management-agpm40.md
+++ b/mdop/agpm/overview-of-advanced-group-policy-management-agpm40.md
@@ -1,7 +1,7 @@
---
title: Overview of Advanced Group Policy Management
description: Overview of Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: 2c12f3b4-8472-4c5b-b7f8-1c98a80d6b47
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/overview-of-advanced-group-policy-management.md b/mdop/agpm/overview-of-advanced-group-policy-management.md
index 6bbb659ca4..d39125dff8 100644
--- a/mdop/agpm/overview-of-advanced-group-policy-management.md
+++ b/mdop/agpm/overview-of-advanced-group-policy-management.md
@@ -1,7 +1,7 @@
---
title: Overview of Advanced Group Policy Management
description: Overview of Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: 028de9dd-848b-42bc-a982-65ba5c433772
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/pending-gpo-commands-agpm30ops.md b/mdop/agpm/pending-gpo-commands-agpm30ops.md
index c155fbc2cf..ac209741db 100644
--- a/mdop/agpm/pending-gpo-commands-agpm30ops.md
+++ b/mdop/agpm/pending-gpo-commands-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Pending GPO Commands
description: Pending GPO Commands
-author: mjcaparas
+author: dansimp
ms.assetid: 3868dda0-8a41-4bba-9b0c-9f656f9a3cd5
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/pending-gpo-commands-agpm40.md b/mdop/agpm/pending-gpo-commands-agpm40.md
index 1e6862db89..6355b75c72 100644
--- a/mdop/agpm/pending-gpo-commands-agpm40.md
+++ b/mdop/agpm/pending-gpo-commands-agpm40.md
@@ -1,7 +1,7 @@
---
title: Pending GPO Commands
description: Pending GPO Commands
-author: mjcaparas
+author: dansimp
ms.assetid: b62f49e1-43ab-4c93-8102-96cd97a4adad
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/pending-tab.md b/mdop/agpm/pending-tab.md
index 4ee185771f..651aed92e0 100644
--- a/mdop/agpm/pending-tab.md
+++ b/mdop/agpm/pending-tab.md
@@ -1,7 +1,7 @@
---
title: Pending Tab
description: Pending Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 54a9a977-c0bc-4553-922b-b2e10e162df9
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-agpm-administrator-tasks-agpm30ops.md b/mdop/agpm/performing-agpm-administrator-tasks-agpm30ops.md
index b23cff06c7..cb634d1f12 100644
--- a/mdop/agpm/performing-agpm-administrator-tasks-agpm30ops.md
+++ b/mdop/agpm/performing-agpm-administrator-tasks-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Performing AGPM Administrator Tasks
description: Performing AGPM Administrator Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: 9678b0f4-70a5-411e-a896-afa4dc9ea6c4
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-agpm-administrator-tasks-agpm40.md b/mdop/agpm/performing-agpm-administrator-tasks-agpm40.md
index aa73d0ac46..f8ccba7272 100644
--- a/mdop/agpm/performing-agpm-administrator-tasks-agpm40.md
+++ b/mdop/agpm/performing-agpm-administrator-tasks-agpm40.md
@@ -1,7 +1,7 @@
---
title: Performing AGPM Administrator Tasks
description: Performing AGPM Administrator Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: bc746f39-bdc9-4e2a-bc48-c3c7905de098
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-agpm-administrator-tasks.md b/mdop/agpm/performing-agpm-administrator-tasks.md
index ebc6992639..71b1c9749c 100644
--- a/mdop/agpm/performing-agpm-administrator-tasks.md
+++ b/mdop/agpm/performing-agpm-administrator-tasks.md
@@ -1,7 +1,7 @@
---
title: Performing AGPM Administrator Tasks
description: Performing AGPM Administrator Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: 32e694a7-be64-4943-bce2-2a3a15e5341f
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-approver-tasks-agpm30ops.md b/mdop/agpm/performing-approver-tasks-agpm30ops.md
index 457707ad10..4c519657e9 100644
--- a/mdop/agpm/performing-approver-tasks-agpm30ops.md
+++ b/mdop/agpm/performing-approver-tasks-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Performing Approver Tasks
description: Performing Approver Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: 9f711824-191b-4b4b-a1c6-a3b2116006a4
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-approver-tasks-agpm40.md b/mdop/agpm/performing-approver-tasks-agpm40.md
index 8a19c9ecda..2a949f0a84 100644
--- a/mdop/agpm/performing-approver-tasks-agpm40.md
+++ b/mdop/agpm/performing-approver-tasks-agpm40.md
@@ -1,7 +1,7 @@
---
title: Performing Approver Tasks
description: Performing Approver Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: e0a4b7fe-ce69-4755-9104-c7f523ea6b62
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-approver-tasks.md b/mdop/agpm/performing-approver-tasks.md
index ce05f48885..fd4190ca12 100644
--- a/mdop/agpm/performing-approver-tasks.md
+++ b/mdop/agpm/performing-approver-tasks.md
@@ -1,7 +1,7 @@
---
title: Performing Approver Tasks
description: Performing Approver Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: 6f6310b3-19c1-47c9-8615-964ddd10ce14
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-editor-tasks-agpm30ops.md b/mdop/agpm/performing-editor-tasks-agpm30ops.md
index abc69827c2..e6f638319a 100644
--- a/mdop/agpm/performing-editor-tasks-agpm30ops.md
+++ b/mdop/agpm/performing-editor-tasks-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Performing Editor Tasks
description: Performing Editor Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: d4ac3277-2557-41cf-ac90-5adb6c30687c
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-editor-tasks-agpm40.md b/mdop/agpm/performing-editor-tasks-agpm40.md
index b776479dfc..d359605154 100644
--- a/mdop/agpm/performing-editor-tasks-agpm40.md
+++ b/mdop/agpm/performing-editor-tasks-agpm40.md
@@ -1,7 +1,7 @@
---
title: Performing Editor Tasks
description: Performing Editor Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: 81976a01-2a95-4256-b703-9fb3c884ef34
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-editor-tasks.md b/mdop/agpm/performing-editor-tasks.md
index eeea2a652c..5ba1b63760 100644
--- a/mdop/agpm/performing-editor-tasks.md
+++ b/mdop/agpm/performing-editor-tasks.md
@@ -1,7 +1,7 @@
---
title: Performing Editor Tasks
description: Performing Editor Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: b1e62615-2e02-460e-81d1-4a3fbe59f62d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-reviewer-tasks-agpm30ops.md b/mdop/agpm/performing-reviewer-tasks-agpm30ops.md
index 94d4b73d01..79dddb832c 100644
--- a/mdop/agpm/performing-reviewer-tasks-agpm30ops.md
+++ b/mdop/agpm/performing-reviewer-tasks-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Performing Reviewer Tasks
description: Performing Reviewer Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: 1faf396d-be0d-49ac-b063-0722fda2e43d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-reviewer-tasks-agpm40.md b/mdop/agpm/performing-reviewer-tasks-agpm40.md
index 5bf87e09a7..e4dc40829d 100644
--- a/mdop/agpm/performing-reviewer-tasks-agpm40.md
+++ b/mdop/agpm/performing-reviewer-tasks-agpm40.md
@@ -1,7 +1,7 @@
---
title: Performing Reviewer Tasks
description: Performing Reviewer Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: b5f0805c-da55-45a5-a94c-2473af92b54a
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/performing-reviewer-tasks.md b/mdop/agpm/performing-reviewer-tasks.md
index aa542e0ac9..f2ea335680 100644
--- a/mdop/agpm/performing-reviewer-tasks.md
+++ b/mdop/agpm/performing-reviewer-tasks.md
@@ -1,7 +1,7 @@
---
title: Performing Reviewer Tasks
description: Performing Reviewer Tasks
-author: mjcaparas
+author: dansimp
ms.assetid: 4bdd43fa-5c73-4900-8947-b45906f47f60
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/production-delegation-tab-agpm30ops.md b/mdop/agpm/production-delegation-tab-agpm30ops.md
index efa8ccb039..32ef7974df 100644
--- a/mdop/agpm/production-delegation-tab-agpm30ops.md
+++ b/mdop/agpm/production-delegation-tab-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Production Delegation Tab
description: Production Delegation Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 9851637d-d5c1-4d29-8582-e8779500a14e
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/production-delegation-tab-agpm40.md b/mdop/agpm/production-delegation-tab-agpm40.md
index 29e323127c..118c822a7d 100644
--- a/mdop/agpm/production-delegation-tab-agpm40.md
+++ b/mdop/agpm/production-delegation-tab-agpm40.md
@@ -1,7 +1,7 @@
---
title: Production Delegation Tab
description: Production Delegation Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 046bb9bc-769a-4306-bc49-c159a9533552
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/recycle-bin-commands-agpm30ops.md b/mdop/agpm/recycle-bin-commands-agpm30ops.md
index baf41c217c..d3ed4beea9 100644
--- a/mdop/agpm/recycle-bin-commands-agpm30ops.md
+++ b/mdop/agpm/recycle-bin-commands-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Recycle Bin Commands
description: Recycle Bin Commands
-author: mjcaparas
+author: dansimp
ms.assetid: ffe8f020-7aa9-40ad-8019-cc99901a7840
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/recycle-bin-commands-agpm40.md b/mdop/agpm/recycle-bin-commands-agpm40.md
index ddd12cfd22..a1be8b3f88 100644
--- a/mdop/agpm/recycle-bin-commands-agpm40.md
+++ b/mdop/agpm/recycle-bin-commands-agpm40.md
@@ -1,7 +1,7 @@
---
title: Recycle Bin Commands
description: Recycle Bin Commands
-author: mjcaparas
+author: dansimp
ms.assetid: 347a101f-0ba0-4afc-bd59-752cc06bb904
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/recycle-bin-tab.md b/mdop/agpm/recycle-bin-tab.md
index 95d40a6e1d..749191d42c 100644
--- a/mdop/agpm/recycle-bin-tab.md
+++ b/mdop/agpm/recycle-bin-tab.md
@@ -1,7 +1,7 @@
---
title: Recycle Bin Tab
description: Recycle Bin Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 9ce62e98-c03e-4a75-90e0-51be83c6d2db
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp1.md b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp1.md
index f72ca9d61d..26e276ed65 100644
--- a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp1.md
+++ b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp1.md
@@ -1,7 +1,7 @@
---
title: Release Notes for Microsoft Advanced Group Policy Management 4.0 SP1
description: Release Notes for Microsoft Advanced Group Policy Management 4.0 SP1
-author: mjcaparas
+author: dansimp
ms.assetid: 91835bf8-e53c-4202-986e-8d37050d1267
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp2.md b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp2.md
index e5a7a19136..9c609242ce 100644
--- a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp2.md
+++ b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp2.md
@@ -1,7 +1,7 @@
---
title: Release Notes for Microsoft Advanced Group Policy Management 4.0 SP2
description: Release Notes for Microsoft Advanced Group Policy Management 4.0 SP2
-author: mjcaparas
+author: dansimp
ms.assetid: 0593cd11-3308-4942-bf19-8a7bb9447f01
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp3.md b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp3.md
index 2c9d766a6d..cfeb0c897e 100644
--- a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp3.md
+++ b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp3.md
@@ -1,7 +1,7 @@
---
title: Release Notes for Microsoft Advanced Group Policy Management 4.0 SP3
description: Release Notes for Microsoft Advanced Group Policy Management 4.0 SP3
-author: mjcaparas
+author: dansimp
ms.assetid: 955d7674-a8d9-4fc5-b18a-5a1639e38014
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
index caa920e145..1230a91148 100644
--- a/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
+++ b/mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40.md
@@ -1,7 +1,7 @@
---
title: Release Notes for Microsoft Advanced Group Policy Management 4.0
description: Release Notes for Microsoft Advanced Group Policy Management 4.0
-author: mjcaparas
+author: dansimp
ms.assetid: 44c19e61-c8e8-48aa-a2c2-20396d14d5bb
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/rename-a-gpo-or-template-agpm30ops.md b/mdop/agpm/rename-a-gpo-or-template-agpm30ops.md
index 3aa827f71f..6c457983f8 100644
--- a/mdop/agpm/rename-a-gpo-or-template-agpm30ops.md
+++ b/mdop/agpm/rename-a-gpo-or-template-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Rename a GPO or Template
description: Rename a GPO or Template
-author: mjcaparas
+author: dansimp
ms.assetid: 19d17ddf-8b58-4677-929e-9550fa388b93
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/rename-a-gpo-or-template-agpm40.md b/mdop/agpm/rename-a-gpo-or-template-agpm40.md
index 7befd4f578..a2a1b19820 100644
--- a/mdop/agpm/rename-a-gpo-or-template-agpm40.md
+++ b/mdop/agpm/rename-a-gpo-or-template-agpm40.md
@@ -1,7 +1,7 @@
---
title: Rename a GPO or Template
description: Rename a GPO or Template
-author: mjcaparas
+author: dansimp
ms.assetid: 84293f7a-4ff7-497e-bdbc-cabb70189a03
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/rename-a-gpo-or-template.md b/mdop/agpm/rename-a-gpo-or-template.md
index 3a2a71a243..e437925f07 100644
--- a/mdop/agpm/rename-a-gpo-or-template.md
+++ b/mdop/agpm/rename-a-gpo-or-template.md
@@ -1,7 +1,7 @@
---
title: Rename a GPO or Template
description: Rename a GPO or Template
-author: mjcaparas
+author: dansimp
ms.assetid: 64a1aaf4-f672-48b5-94c6-473bf1076cf3
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-control-of-a-previously-uncontrolled-gpo.md b/mdop/agpm/request-control-of-a-previously-uncontrolled-gpo.md
index e58c025f14..c31e31cb35 100644
--- a/mdop/agpm/request-control-of-a-previously-uncontrolled-gpo.md
+++ b/mdop/agpm/request-control-of-a-previously-uncontrolled-gpo.md
@@ -1,7 +1,7 @@
---
title: Request Control of a Previously Uncontrolled GPO
description: Request Control of a Previously Uncontrolled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 00e8725d-5d7f-4eed-a5e6-c3631632cfbd
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-control-of-an-uncontrolled-gpo-agpm30ops.md b/mdop/agpm/request-control-of-an-uncontrolled-gpo-agpm30ops.md
index 3d14dbd600..1f12840287 100644
--- a/mdop/agpm/request-control-of-an-uncontrolled-gpo-agpm30ops.md
+++ b/mdop/agpm/request-control-of-an-uncontrolled-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Request Control of an Uncontrolled GPO
description: Request Control of an Uncontrolled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: b668a67a-5a2c-4f6a-8b1c-efa3ca0794d4
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-control-of-an-uncontrolled-gpo-agpm40.md b/mdop/agpm/request-control-of-an-uncontrolled-gpo-agpm40.md
index 86d8e3030f..b82b4bae0c 100644
--- a/mdop/agpm/request-control-of-an-uncontrolled-gpo-agpm40.md
+++ b/mdop/agpm/request-control-of-an-uncontrolled-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Request Control of an Uncontrolled GPO
description: Request Control of an Uncontrolled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: a34e0aeb-33a1-4c9f-b187-1d08493a785c
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-deletion-of-a-gpo-agpm30ops.md b/mdop/agpm/request-deletion-of-a-gpo-agpm30ops.md
index 7f2ecf3393..4b6b24a531 100644
--- a/mdop/agpm/request-deletion-of-a-gpo-agpm30ops.md
+++ b/mdop/agpm/request-deletion-of-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Request Deletion of a GPO
description: Request Deletion of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 576ece5c-dc6d-4b5e-8628-01c15ae2c9a8
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-deletion-of-a-gpo-agpm40.md b/mdop/agpm/request-deletion-of-a-gpo-agpm40.md
index 844b1cad3c..0124dc0a64 100644
--- a/mdop/agpm/request-deletion-of-a-gpo-agpm40.md
+++ b/mdop/agpm/request-deletion-of-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Request Deletion of a GPO
description: Request Deletion of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 2410f7a1-ccca-44cf-ab26-76ad474409e7
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-deployment-of-a-gpo-agpm30ops.md b/mdop/agpm/request-deployment-of-a-gpo-agpm30ops.md
index a1fb49a16f..fcb659cd00 100644
--- a/mdop/agpm/request-deployment-of-a-gpo-agpm30ops.md
+++ b/mdop/agpm/request-deployment-of-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Request Deployment of a GPO
description: Request Deployment of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: f44ae0fb-bcf7-477b-b99e-9dd6a55ee597
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-deployment-of-a-gpo-agpm40.md b/mdop/agpm/request-deployment-of-a-gpo-agpm40.md
index 334d30d658..5c633c5a9c 100644
--- a/mdop/agpm/request-deployment-of-a-gpo-agpm40.md
+++ b/mdop/agpm/request-deployment-of-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Request Deployment of a GPO
description: Request Deployment of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 5783cfd0-bd93-46b4-8fa0-684bd39aa8fc
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-deployment-of-a-gpo.md b/mdop/agpm/request-deployment-of-a-gpo.md
index fd81f52490..7c38b0addd 100644
--- a/mdop/agpm/request-deployment-of-a-gpo.md
+++ b/mdop/agpm/request-deployment-of-a-gpo.md
@@ -1,7 +1,7 @@
---
title: Request Deployment of a GPO
description: Request Deployment of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 9aa9af29-4754-4f72-b624-bb3e1087cbe1
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm30ops.md b/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm30ops.md
index 5eea73eb07..a5d72f95b9 100644
--- a/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm30ops.md
+++ b/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Request Restoration of a Deleted GPO
description: Request Restoration of a Deleted GPO
-author: mjcaparas
+author: dansimp
ms.assetid: dcc3baea-8af7-4886-a301-98b6ac5819cd
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm40.md b/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm40.md
index 9a569cc216..6d7272bb13 100644
--- a/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm40.md
+++ b/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Request Restoration of a Deleted GPO
description: Request Restoration of a Deleted GPO
-author: mjcaparas
+author: dansimp
ms.assetid: bac5ca3b-be47-49b5-bf1b-96280625fda8
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-the-creation-of-a-new-controlled-gpo-agpm30ops.md b/mdop/agpm/request-the-creation-of-a-new-controlled-gpo-agpm30ops.md
index 9c7adfcc7c..2ad25d82f2 100644
--- a/mdop/agpm/request-the-creation-of-a-new-controlled-gpo-agpm30ops.md
+++ b/mdop/agpm/request-the-creation-of-a-new-controlled-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Request the Creation of a New Controlled GPO
description: Request the Creation of a New Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 4194c2f3-8116-4a35-be1a-81c84072daec
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-the-creation-of-a-new-controlled-gpo-agpm40.md b/mdop/agpm/request-the-creation-of-a-new-controlled-gpo-agpm40.md
index 155d54a519..c191185c64 100644
--- a/mdop/agpm/request-the-creation-of-a-new-controlled-gpo-agpm40.md
+++ b/mdop/agpm/request-the-creation-of-a-new-controlled-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Request the Creation of a New Controlled GPO
description: Request the Creation of a New Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: cb265238-386f-4780-a59a-0c9a4a87d736
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/request-the-creation-of-a-new-controlled-gpo.md b/mdop/agpm/request-the-creation-of-a-new-controlled-gpo.md
index be1818d321..fa93f03e77 100644
--- a/mdop/agpm/request-the-creation-of-a-new-controlled-gpo.md
+++ b/mdop/agpm/request-the-creation-of-a-new-controlled-gpo.md
@@ -1,7 +1,7 @@
---
title: Request the Creation of a New Controlled GPO
description: Request the Creation of a New Controlled GPO
-author: mjcaparas
+author: dansimp
ms.assetid: e1875d81-8553-42ee-8f3a-023d6ced86ca
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/resources-for-agpm.md b/mdop/agpm/resources-for-agpm.md
index 310dda78df..04cbb5788f 100644
--- a/mdop/agpm/resources-for-agpm.md
+++ b/mdop/agpm/resources-for-agpm.md
@@ -1,7 +1,7 @@
---
title: Resources for AGPM
description: Resources for AGPM
-author: mjcaparas
+author: dansimp
ms.assetid: b44b58c0-2810-40d6-9677-f2f64e1add75
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/restore-a-deleted-gpo-agpm30ops.md b/mdop/agpm/restore-a-deleted-gpo-agpm30ops.md
index 5f46d1b370..b213359f0d 100644
--- a/mdop/agpm/restore-a-deleted-gpo-agpm30ops.md
+++ b/mdop/agpm/restore-a-deleted-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Restore a Deleted GPO
description: Restore a Deleted GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 853feb0a-d2d9-4be9-a07e-e113a56a9968
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/restore-a-deleted-gpo-agpm40.md b/mdop/agpm/restore-a-deleted-gpo-agpm40.md
index d68d3dc138..85f0cb5bb3 100644
--- a/mdop/agpm/restore-a-deleted-gpo-agpm40.md
+++ b/mdop/agpm/restore-a-deleted-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Restore a Deleted GPO
description: Restore a Deleted GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 0a131d26-a741-4a51-b612-c0bc7dbba06b
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/restore-a-deleted-gpo.md b/mdop/agpm/restore-a-deleted-gpo.md
index 27a79b4d0e..b88e837db1 100644
--- a/mdop/agpm/restore-a-deleted-gpo.md
+++ b/mdop/agpm/restore-a-deleted-gpo.md
@@ -1,7 +1,7 @@
---
title: Restore a Deleted GPO
description: Restore a Deleted GPO
-author: mjcaparas
+author: dansimp
ms.assetid: e6953296-7b7d-4d1e-ad82-d4a23044cdd7
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/restore-the-archive-from-a-backup-agpm40.md b/mdop/agpm/restore-the-archive-from-a-backup-agpm40.md
index 35d0247a88..40dfa1d821 100644
--- a/mdop/agpm/restore-the-archive-from-a-backup-agpm40.md
+++ b/mdop/agpm/restore-the-archive-from-a-backup-agpm40.md
@@ -1,7 +1,7 @@
---
title: Restore the Archive from a Backup
description: Restore the Archive from a Backup
-author: mjcaparas
+author: dansimp
ms.assetid: b83f6173-a236-4da2-b16e-8df20920d4cc
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/restore-the-archive-from-a-backup.md b/mdop/agpm/restore-the-archive-from-a-backup.md
index 597857d21f..67953e93ac 100644
--- a/mdop/agpm/restore-the-archive-from-a-backup.md
+++ b/mdop/agpm/restore-the-archive-from-a-backup.md
@@ -1,7 +1,7 @@
---
title: Restore the Archive from a Backup
description: Restore the Archive from a Backup
-author: mjcaparas
+author: dansimp
ms.assetid: 49666337-d72c-4e44-99e4-9eb59b2355a9
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/review-gpo-links-agpm30ops.md b/mdop/agpm/review-gpo-links-agpm30ops.md
index f76ec518b9..9871c1b92c 100644
--- a/mdop/agpm/review-gpo-links-agpm30ops.md
+++ b/mdop/agpm/review-gpo-links-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Review GPO Links
description: Review GPO Links
-author: mjcaparas
+author: dansimp
ms.assetid: 5ae95afc-2b89-45cf-916c-efe2d43b2211
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/review-gpo-links-agpm40.md b/mdop/agpm/review-gpo-links-agpm40.md
index 46af2603fc..7485933f68 100644
--- a/mdop/agpm/review-gpo-links-agpm40.md
+++ b/mdop/agpm/review-gpo-links-agpm40.md
@@ -1,7 +1,7 @@
---
title: Review GPO Links
description: Review GPO Links
-author: mjcaparas
+author: dansimp
ms.assetid: 3aaba9da-f0aa-466f-bd1c-49f11d00ea54
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/review-gpo-links.md b/mdop/agpm/review-gpo-links.md
index e0569fce2c..b419911628 100644
--- a/mdop/agpm/review-gpo-links.md
+++ b/mdop/agpm/review-gpo-links.md
@@ -1,7 +1,7 @@
---
title: Review GPO Links
description: Review GPO Links
-author: mjcaparas
+author: dansimp
ms.assetid: 3c472448-f16a-493c-a229-5ca60a470965
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/review-gpo-settings-agpm30ops.md b/mdop/agpm/review-gpo-settings-agpm30ops.md
index 5568f18e0f..6c569b8d1b 100644
--- a/mdop/agpm/review-gpo-settings-agpm30ops.md
+++ b/mdop/agpm/review-gpo-settings-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Review GPO Settings
description: Review GPO Settings
-author: mjcaparas
+author: dansimp
ms.assetid: bed956d0-082e-4fa9-bf1e-572d0d3d02ec
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/review-gpo-settings-agpm40.md b/mdop/agpm/review-gpo-settings-agpm40.md
index 2b24c18e22..77e60f42cc 100644
--- a/mdop/agpm/review-gpo-settings-agpm40.md
+++ b/mdop/agpm/review-gpo-settings-agpm40.md
@@ -1,7 +1,7 @@
---
title: Review GPO Settings
description: Review GPO Settings
-author: mjcaparas
+author: dansimp
ms.assetid: c346bcde-dd6a-4775-aeab-721ca3a361b2
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/review-gpo-settings.md b/mdop/agpm/review-gpo-settings.md
index 406ad65b0c..952c2ac544 100644
--- a/mdop/agpm/review-gpo-settings.md
+++ b/mdop/agpm/review-gpo-settings.md
@@ -1,7 +1,7 @@
---
title: Review GPO Settings
description: Review GPO Settings
-author: mjcaparas
+author: dansimp
ms.assetid: e82570b2-d8ce-4bf0-8ad7-8910409f3041
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo-agpm30ops.md b/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo-agpm30ops.md
index 14901c7456..f9c5735347 100644
--- a/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo-agpm30ops.md
+++ b/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Roll Back to a Previous Version of a GPO
description: Roll Back to a Previous Version of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 2a98ad8f-32cb-41eb-ab99-0318f2a55d81
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo.md b/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo.md
index 2363f2055b..7068147b6c 100644
--- a/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo.md
+++ b/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo.md
@@ -1,7 +1,7 @@
---
title: Roll Back to a Previous Version of a GPO
description: Roll Back to a Previous Version of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 028631c0-4cb9-4642-90ad-04cd813051b7
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/roll-back-to-an-earlier-version-of-a-gpo-agpm40.md b/mdop/agpm/roll-back-to-an-earlier-version-of-a-gpo-agpm40.md
index 5a9b000943..3df03b1ccd 100644
--- a/mdop/agpm/roll-back-to-an-earlier-version-of-a-gpo-agpm40.md
+++ b/mdop/agpm/roll-back-to-an-earlier-version-of-a-gpo-agpm40.md
@@ -1,7 +1,7 @@
---
title: Roll Back to an Earlier Version of a GPO
description: Roll Back to an Earlier Version of a GPO
-author: mjcaparas
+author: dansimp
ms.assetid: 06ce9251-95e0-46d0-99c2-b9a0690e5891
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/search-and-filter-the-list-of-gpos.md b/mdop/agpm/search-and-filter-the-list-of-gpos.md
index 51af8002eb..1ad003bf5a 100644
--- a/mdop/agpm/search-and-filter-the-list-of-gpos.md
+++ b/mdop/agpm/search-and-filter-the-list-of-gpos.md
@@ -1,7 +1,7 @@
---
title: Search and Filter the List of GPOs
description: Search and Filter the List of GPOs
-author: mjcaparas
+author: dansimp
ms.assetid: 1bc58a38-033c-4aed-9eb4-c239827f5501
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/set-a-default-template-agpm30ops.md b/mdop/agpm/set-a-default-template-agpm30ops.md
index aab61140e4..05832f8ef0 100644
--- a/mdop/agpm/set-a-default-template-agpm30ops.md
+++ b/mdop/agpm/set-a-default-template-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Set a Default Template
description: Set a Default Template
-author: mjcaparas
+author: dansimp
ms.assetid: 84edbd69-451b-4c10-a898-781d4b75d09c
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/set-a-default-template-agpm40.md b/mdop/agpm/set-a-default-template-agpm40.md
index 68c165be29..4369a82870 100644
--- a/mdop/agpm/set-a-default-template-agpm40.md
+++ b/mdop/agpm/set-a-default-template-agpm40.md
@@ -1,7 +1,7 @@
---
title: Set a Default Template
description: Set a Default Template
-author: mjcaparas
+author: dansimp
ms.assetid: 07208b6b-cb3a-4f6c-9c84-36d4dc1486d8
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/set-a-default-template.md b/mdop/agpm/set-a-default-template.md
index 354b961123..8386ca2b9c 100644
--- a/mdop/agpm/set-a-default-template.md
+++ b/mdop/agpm/set-a-default-template.md
@@ -1,7 +1,7 @@
---
title: Set a Default Template
description: Set a Default Template
-author: mjcaparas
+author: dansimp
ms.assetid: e0acf980-437f-4357-b237-298aaebe490d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/start-and-stop-the-agpm-service-agpm30ops.md b/mdop/agpm/start-and-stop-the-agpm-service-agpm30ops.md
index bd04d77d92..93d74f5f37 100644
--- a/mdop/agpm/start-and-stop-the-agpm-service-agpm30ops.md
+++ b/mdop/agpm/start-and-stop-the-agpm-service-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Start and Stop the AGPM Service
description: Start and Stop the AGPM Service
-author: mjcaparas
+author: dansimp
ms.assetid: b9d26920-c439-4992-9a78-73e4fba8309d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/start-and-stop-the-agpm-service-agpm40.md b/mdop/agpm/start-and-stop-the-agpm-service-agpm40.md
index 7d19498e83..533b33af92 100644
--- a/mdop/agpm/start-and-stop-the-agpm-service-agpm40.md
+++ b/mdop/agpm/start-and-stop-the-agpm-service-agpm40.md
@@ -1,7 +1,7 @@
---
title: Start and Stop the AGPM Service
description: Start and Stop the AGPM Service
-author: mjcaparas
+author: dansimp
ms.assetid: dcc9566c-c515-4fbe-b7f5-8ac030141307
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/start-and-stop-the-agpm-service.md b/mdop/agpm/start-and-stop-the-agpm-service.md
index 05cb3f8cc5..3dbf704495 100644
--- a/mdop/agpm/start-and-stop-the-agpm-service.md
+++ b/mdop/agpm/start-and-stop-the-agpm-service.md
@@ -1,7 +1,7 @@
---
title: Start and Stop the AGPM Service
description: Start and Stop the AGPM Service
-author: mjcaparas
+author: dansimp
ms.assetid: 769aa0ce-224a-446f-9958-9518af4ad159
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-25.md b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-25.md
index b41ee4e572..fbeee131b7 100644
--- a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-25.md
+++ b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-25.md
@@ -1,7 +1,7 @@
---
title: Step-by-Step Guide for Microsoft Advanced Group Policy Management 2.5
description: Step-by-Step Guide for Microsoft Advanced Group Policy Management 2.5
-author: mjcaparas
+author: dansimp
ms.assetid: 454298c9-0fab-497a-9808-c0246a4c8db5
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-30.md b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-30.md
index d593fc9011..63df928e4f 100644
--- a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-30.md
+++ b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-30.md
@@ -1,7 +1,7 @@
---
title: Step-by-Step Guide for Microsoft Advanced Group Policy Management 3.0
description: Step-by-Step Guide for Microsoft Advanced Group Policy Management 3.0
-author: mjcaparas
+author: dansimp
ms.assetid: d067f465-d7c8-4f6d-b311-66b9b06874f7
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
index dc69096e0f..05228f0a31 100644
--- a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
+++ b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
@@ -1,7 +1,7 @@
---
title: Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0
description: Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0
-author: mjcaparas
+author: dansimp
ms.assetid: dc6f9b16-b1d4-48f3-88bb-f29301f0131c
ms.reviewer:
manager: dansimp
@@ -272,15 +272,17 @@ As an AGPM Administrator (Full Control), you designate the e-mail addresses of A
**To configure e-mail notification for AGPM**
-1. In the details pane, click the **Domain Delegation** tab.
+1. In **Group Policy Management Editor** , navigate to the **Change Control** folder
-2. In the **From e-mail address** field, type the e-mail alias for AGPM from which notifications should be sent.
+2. In the details pane, click the **Domain Delegation** tab.
-3. In the **To e-mail address** field, type the e-mail address for the user account to which you intend to assign the Approver role.
+3. In the **From e-mail address** field, type the e-mail alias for AGPM from which notifications should be sent.
-4. In the **SMTP server** field, type a valid SMTP mail server.
+4. In the **To e-mail address** field, type the e-mail address for the user account to which you intend to assign the Approver role.
-5. In the **User name** and **Password** fields, type the credentials of a user who has access to the SMTP service. Click **Apply**.
+5. In the **SMTP server** field, type a valid SMTP mail server.
+
+6. In the **User name** and **Password** fields, type the credentials of a user who has access to the SMTP service. Click **Apply**.
### Step 5: Delegate access
diff --git a/mdop/agpm/technical-overview-of-agpm.md b/mdop/agpm/technical-overview-of-agpm.md
index 9f7a7d14d8..8a6b243011 100644
--- a/mdop/agpm/technical-overview-of-agpm.md
+++ b/mdop/agpm/technical-overview-of-agpm.md
@@ -1,7 +1,7 @@
---
title: Technical Overview of AGPM
description: Technical Overview of AGPM
-author: mjcaparas
+author: dansimp
ms.assetid: 36bc0ab5-f752-474c-8559-721ea95169c2
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/template-commands-agpm30ops.md b/mdop/agpm/template-commands-agpm30ops.md
index d0d078ee41..046c815f0c 100644
--- a/mdop/agpm/template-commands-agpm30ops.md
+++ b/mdop/agpm/template-commands-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Template Commands
description: Template Commands
-author: mjcaparas
+author: dansimp
ms.assetid: 2ec11b3f-0c5c-4788-97bd-bd4bf64ba51a
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/template-commands-agpm40.md b/mdop/agpm/template-commands-agpm40.md
index ab77542a14..d8a5c7af94 100644
--- a/mdop/agpm/template-commands-agpm40.md
+++ b/mdop/agpm/template-commands-agpm40.md
@@ -1,7 +1,7 @@
---
title: Template Commands
description: Template Commands
-author: mjcaparas
+author: dansimp
ms.assetid: 243a9b18-bf3f-44fa-94d7-5c793f7322da
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/templates-tab.md b/mdop/agpm/templates-tab.md
index 6c6a7e617d..ff01b1c77f 100644
--- a/mdop/agpm/templates-tab.md
+++ b/mdop/agpm/templates-tab.md
@@ -1,7 +1,7 @@
---
title: Templates Tab
description: Templates Tab
-author: mjcaparas
+author: dansimp
ms.assetid: 5676e9f9-eb52-49e1-a55d-15c1059af368
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/test-a-gpo-in-a-separate-organizational-unit-agpm40.md b/mdop/agpm/test-a-gpo-in-a-separate-organizational-unit-agpm40.md
index 7eebcfe46c..5770353813 100644
--- a/mdop/agpm/test-a-gpo-in-a-separate-organizational-unit-agpm40.md
+++ b/mdop/agpm/test-a-gpo-in-a-separate-organizational-unit-agpm40.md
@@ -1,7 +1,7 @@
---
title: Test a GPO in a Separate Organizational Unit
description: Test a GPO in a Separate Organizational Unit
-author: mjcaparas
+author: dansimp
ms.assetid: 9a9e6d22-74e6-41d8-ac2f-12a1b76ad5a0
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/troubleshooting-advanced-group-policy-management-agpm30ops.md b/mdop/agpm/troubleshooting-advanced-group-policy-management-agpm30ops.md
index 9cfdbb49f9..85beacad4b 100644
--- a/mdop/agpm/troubleshooting-advanced-group-policy-management-agpm30ops.md
+++ b/mdop/agpm/troubleshooting-advanced-group-policy-management-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Troubleshooting Advanced Group Policy Management
description: Troubleshooting Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: f7ece97c-e9f8-4b18-8c7a-a615c98d5c60
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/troubleshooting-advanced-group-policy-management.md b/mdop/agpm/troubleshooting-advanced-group-policy-management.md
index 17e6a15981..eef7bb66d5 100644
--- a/mdop/agpm/troubleshooting-advanced-group-policy-management.md
+++ b/mdop/agpm/troubleshooting-advanced-group-policy-management.md
@@ -1,7 +1,7 @@
---
title: Troubleshooting Advanced Group Policy Management
description: Troubleshooting Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: f58849cf-6c5b-44d8-b356-0ed7a5b24cee
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/troubleshooting-agpm-agpm40.md b/mdop/agpm/troubleshooting-agpm-agpm40.md
index a714041c6c..937da5a8bb 100644
--- a/mdop/agpm/troubleshooting-agpm-agpm40.md
+++ b/mdop/agpm/troubleshooting-agpm-agpm40.md
@@ -1,7 +1,7 @@
---
title: Troubleshooting AGPM
description: Troubleshooting AGPM
-author: mjcaparas
+author: dansimp
ms.assetid: bedcd817-beb2-47bf-aebd-e3923c4fd06f
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/troubleshooting-agpm40-upgrades.md b/mdop/agpm/troubleshooting-agpm40-upgrades.md
new file mode 100644
index 0000000000..90e2ca7e1d
--- /dev/null
+++ b/mdop/agpm/troubleshooting-agpm40-upgrades.md
@@ -0,0 +1,41 @@
+---
+title: Troubleshooting AGPM Upgrades
+description: Troubleshooting AGPM Upgrades
+author: dansimp
+ms.assetid: 1abbf0c1-fd32-46a8-a3ba-c005f066523d
+ms.reviewer:
+manager: dansimp
+ms.author: jedodson
+ms.pagetype: mdop
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.prod: w10
+ms.date: 06/16/2016
+---
+
+
+# Troubleshooting AGPM Upgrades
+
+This section lists common issues that you may encounter when you upgrade your Advanced Group Policy Management (AGPM) server to a newer version (e.g. AGPM 4.0 to AGPM 4.3). To diagnose issues not listed here, it may be helpful to view the [Troubleshooting AGPM](troubleshooting-agpm-agpm40.md) or for an AGPM Administrator (Full Control) to use logging and tracing. For more information, see [Configure Logging and Tracing](configure-logging-and-tracing-agpm40.md).
+
+## What problems are you having?
+
+- [Failed to generate a HTML GPO difference report (Error code 80004003)](#bkmk-error-80004003)
+
+### Failed to generate a HTML GPO difference report (Error code 80004003)
+
+- **Cause**: You have installed the AGPM upgrade package with an incorrect account.
+
+- **Solution**: You will need to be an AGPM administrator in order to fix this issue.
+
+ - Ensure you know the username & password of your **AGPM service account**.
+
+ - Log onto your AGPM server interactively as your AGPM service account.
+
+ - This is critically important, as the install will fail if you use a different account.
+
+ - Shutdown the AGPM service.
+
+ - Install the required hotfix.
+
+ - Connect to AGPM using an AGPM client to test that your difference reports are now functioning.
diff --git a/mdop/agpm/uncontrolled-gpo-commands-agpm30ops.md b/mdop/agpm/uncontrolled-gpo-commands-agpm30ops.md
index 63d79386b6..c371132ecd 100644
--- a/mdop/agpm/uncontrolled-gpo-commands-agpm30ops.md
+++ b/mdop/agpm/uncontrolled-gpo-commands-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Uncontrolled GPO Commands
description: Uncontrolled GPO Commands
-author: mjcaparas
+author: dansimp
ms.assetid: 94c07b09-cb96-4ff2-b963-b25f103e73e9
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/uncontrolled-gpo-commands-agpm40.md b/mdop/agpm/uncontrolled-gpo-commands-agpm40.md
index 81b96fa77a..4039771a91 100644
--- a/mdop/agpm/uncontrolled-gpo-commands-agpm40.md
+++ b/mdop/agpm/uncontrolled-gpo-commands-agpm40.md
@@ -1,7 +1,7 @@
---
title: Uncontrolled GPO Commands
description: Uncontrolled GPO Commands
-author: mjcaparas
+author: dansimp
ms.assetid: 05a8050f-adc3-465b-8524-bbe95745165c
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/uncontrolled-tab.md b/mdop/agpm/uncontrolled-tab.md
index 92f967b4c2..209267d4d1 100644
--- a/mdop/agpm/uncontrolled-tab.md
+++ b/mdop/agpm/uncontrolled-tab.md
@@ -1,7 +1,7 @@
---
title: Uncontrolled Tab
description: Uncontrolled Tab
-author: mjcaparas
+author: dansimp
ms.assetid: d7e658bf-a72b-4813-bdc8-2fdb7251e742
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/use-a-test-environment-agpm30ops.md b/mdop/agpm/use-a-test-environment-agpm30ops.md
index 02be96d42b..191a0368bf 100644
--- a/mdop/agpm/use-a-test-environment-agpm30ops.md
+++ b/mdop/agpm/use-a-test-environment-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: Use a Test Environment
description: Use a Test Environment
-author: mjcaparas
+author: dansimp
ms.assetid: 86295084-b39e-4040-bb3f-15c3c1e99b1a
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/use-a-test-environment.md b/mdop/agpm/use-a-test-environment.md
index 42f74a29ce..7ceb7db026 100644
--- a/mdop/agpm/use-a-test-environment.md
+++ b/mdop/agpm/use-a-test-environment.md
@@ -1,7 +1,7 @@
---
title: Use a Test Environment
description: Use a Test Environment
-author: mjcaparas
+author: dansimp
ms.assetid: b8d7b3ee-030a-4b5b-8223-4a3276fd47a7
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/user-interface-advanced-group-policy-management-agpm30ops.md b/mdop/agpm/user-interface-advanced-group-policy-management-agpm30ops.md
index 1fc220154a..ec24e0f6b9 100644
--- a/mdop/agpm/user-interface-advanced-group-policy-management-agpm30ops.md
+++ b/mdop/agpm/user-interface-advanced-group-policy-management-agpm30ops.md
@@ -1,7 +1,7 @@
---
title: User Interface Advanced Group Policy Management
description: User Interface Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: 19aab694-8283-4d97-9425-1845404b461f
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/user-interface-advanced-group-policy-management-agpm40.md b/mdop/agpm/user-interface-advanced-group-policy-management-agpm40.md
index db917b9080..4dea408268 100644
--- a/mdop/agpm/user-interface-advanced-group-policy-management-agpm40.md
+++ b/mdop/agpm/user-interface-advanced-group-policy-management-agpm40.md
@@ -1,7 +1,7 @@
---
title: User Interface Advanced Group Policy Management
description: User Interface Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: 1bf67f6a-4f24-4020-a8c1-fe440de9caa3
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/user-interface-advanced-group-policy-management.md b/mdop/agpm/user-interface-advanced-group-policy-management.md
index 2ab508b6ad..df9a57c840 100644
--- a/mdop/agpm/user-interface-advanced-group-policy-management.md
+++ b/mdop/agpm/user-interface-advanced-group-policy-management.md
@@ -1,7 +1,7 @@
---
title: User Interface Advanced Group Policy Management
description: User Interface Advanced Group Policy Management
-author: mjcaparas
+author: dansimp
ms.assetid: 73324c99-adca-46dc-b516-ef78b7235f59
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/using-a-test-environment.md b/mdop/agpm/using-a-test-environment.md
index 0b9b47d7e4..e85967ce48 100644
--- a/mdop/agpm/using-a-test-environment.md
+++ b/mdop/agpm/using-a-test-environment.md
@@ -1,7 +1,7 @@
---
title: Using a Test Environment
description: Using a Test Environment
-author: mjcaparas
+author: dansimp
ms.assetid: fc5fcc7c-1ac8-483a-a6bd-2279ae2ee3fb
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/whats-new-in-agpm-30.md b/mdop/agpm/whats-new-in-agpm-30.md
index 5d83cee0ba..65ef1f96ca 100644
--- a/mdop/agpm/whats-new-in-agpm-30.md
+++ b/mdop/agpm/whats-new-in-agpm-30.md
@@ -1,7 +1,7 @@
---
title: What's New in AGPM 3.0
description: What's New in AGPM 3.0
-author: mjcaparas
+author: dansimp
ms.assetid: 0d082b86-63c5-45ce-9529-6e5f37254f9d
ms.reviewer:
manager: dansimp
diff --git a/mdop/agpm/whats-new-in-agpm-40-sp3.md b/mdop/agpm/whats-new-in-agpm-40-sp3.md
index 4e65034c54..dbe0512e16 100644
--- a/mdop/agpm/whats-new-in-agpm-40-sp3.md
+++ b/mdop/agpm/whats-new-in-agpm-40-sp3.md
@@ -30,7 +30,7 @@ AGPM 4.0 SP3 adds support for the Windows 10 and Windows Server 2016 operating
### Support for PowerShell
-AGPM 4.0 SP3 adds support for PowerShell cmdlets. For a list of the cmdlets available in AGPM 4.0 SP3, including descriptions and syntax, see [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx).
+AGPM 4.0 SP3 adds support for PowerShell cmdlets. For a list of the cmdlets available in AGPM 4.0 SP3, including descriptions and syntax, see [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://docs.microsoft.com/powershell/mdop/get-started?view=win-mdop2-ps).
### Customer feedback and hotfix rollup
diff --git a/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md b/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md
index 1b90836822..e162df6f9b 100644
--- a/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md
+++ b/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md
@@ -1,7 +1,7 @@
---
title: About App-V Package Accelerators (App-V 4.6 SP1)
description: About App-V Package Accelerators (App-V 4.6 SP1)
-author: manikadhiman
+author: dansimp
ms.assetid: fc2d2375-8f17-4a6d-b374-771cb947cb8c
ms.reviewer:
manager: dansimp
@@ -9,7 +9,7 @@ ms.author: manikadhiman
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-application-licensing.md b/mdop/appv-v4/about-application-licensing.md
index 323ddc8447..039444d39d 100644
--- a/mdop/appv-v4/about-application-licensing.md
+++ b/mdop/appv-v4/about-application-licensing.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-application-virtualization-applications.md b/mdop/appv-v4/about-application-virtualization-applications.md
index bcde0caabe..81f4351171 100644
--- a/mdop/appv-v4/about-application-virtualization-applications.md
+++ b/mdop/appv-v4/about-application-virtualization-applications.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-application-virtualization-packages.md b/mdop/appv-v4/about-application-virtualization-packages.md
index cc5664e576..63e1915d67 100644
--- a/mdop/appv-v4/about-application-virtualization-packages.md
+++ b/mdop/appv-v4/about-application-virtualization-packages.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-application-virtualization-servers.md b/mdop/appv-v4/about-application-virtualization-servers.md
index 241dbca298..6078a1f5cb 100644
--- a/mdop/appv-v4/about-application-virtualization-servers.md
+++ b/mdop/appv-v4/about-application-virtualization-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md
index 2ece8bb435..2379da3dff 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md
index 6e0135e762..80134f7a39 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-45-sp2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-45.md b/mdop/appv-v4/about-microsoft-application-virtualization-45.md
index 6747f077ed..827934974f 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-45.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-45.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md
index aa774f657e..f2d49596f4 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md
index d11db11a1f..ece900187a 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md
index 5973540792..ef4f01c277 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp3.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46.md b/mdop/appv-v4/about-microsoft-application-virtualization-46.md
index 394b921628..4e2161b45f 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-publishing.md b/mdop/appv-v4/about-publishing.md
index 54ba36cfd3..0aab27b334 100644
--- a/mdop/appv-v4/about-publishing.md
+++ b/mdop/appv-v4/about-publishing.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-sequencing-phases.md b/mdop/appv-v4/about-sequencing-phases.md
index 78f1f65733..e9f821e89a 100644
--- a/mdop/appv-v4/about-sequencing-phases.md
+++ b/mdop/appv-v4/about-sequencing-phases.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-sharing-package-accelerators-page.md b/mdop/appv-v4/about-sharing-package-accelerators-page.md
index c8cf061993..880688dd13 100644
--- a/mdop/appv-v4/about-sharing-package-accelerators-page.md
+++ b/mdop/appv-v4/about-sharing-package-accelerators-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-application-virtualization-sequencer.md b/mdop/appv-v4/about-the-application-virtualization-sequencer.md
index 139afed1b7..c51d335407 100644
--- a/mdop/appv-v4/about-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/about-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-application-virtualization-server-management-console.md b/mdop/appv-v4/about-the-application-virtualization-server-management-console.md
index eb23af68bb..e3654b07e0 100644
--- a/mdop/appv-v4/about-the-application-virtualization-server-management-console.md
+++ b/mdop/appv-v4/about-the-application-virtualization-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-deployment-tab.md b/mdop/appv-v4/about-the-deployment-tab.md
index ecd0dce407..7a0a6c25b4 100644
--- a/mdop/appv-v4/about-the-deployment-tab.md
+++ b/mdop/appv-v4/about-the-deployment-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-the-files-tab.md b/mdop/appv-v4/about-the-files-tab.md
index 8d8c64dd8b..2281e4a415 100644
--- a/mdop/appv-v4/about-the-files-tab.md
+++ b/mdop/appv-v4/about-the-files-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-osd-tab.md b/mdop/appv-v4/about-the-osd-tab.md
index 6355f6a8a5..cd15ddc088 100644
--- a/mdop/appv-v4/about-the-osd-tab.md
+++ b/mdop/appv-v4/about-the-osd-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-properties-tab.md b/mdop/appv-v4/about-the-properties-tab.md
index 60f67d1be8..49f24affb3 100644
--- a/mdop/appv-v4/about-the-properties-tab.md
+++ b/mdop/appv-v4/about-the-properties-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-sequencer-console.md b/mdop/appv-v4/about-the-sequencer-console.md
index 836a438e18..c9ade6aad8 100644
--- a/mdop/appv-v4/about-the-sequencer-console.md
+++ b/mdop/appv-v4/about-the-sequencer-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-virtual-file-system-tab.md b/mdop/appv-v4/about-the-virtual-file-system-tab.md
index bd07a942c7..c63df76467 100644
--- a/mdop/appv-v4/about-the-virtual-file-system-tab.md
+++ b/mdop/appv-v4/about-the-virtual-file-system-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/about-the-virtual-registry-tab.md b/mdop/appv-v4/about-the-virtual-registry-tab.md
index 71e0e3aa94..580a4456c0 100644
--- a/mdop/appv-v4/about-the-virtual-registry-tab.md
+++ b/mdop/appv-v4/about-the-virtual-registry-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-the-virtual-services-tab.md b/mdop/appv-v4/about-the-virtual-services-tab.md
index 94b51a9dd2..9da1a5c4f1 100644
--- a/mdop/appv-v4/about-the-virtual-services-tab.md
+++ b/mdop/appv-v4/about-the-virtual-services-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-using-the-sequencer-command-line.md b/mdop/appv-v4/about-using-the-sequencer-command-line.md
index 844d28f414..b54eeb6152 100644
--- a/mdop/appv-v4/about-using-the-sequencer-command-line.md
+++ b/mdop/appv-v4/about-using-the-sequencer-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/about-virtual-environments.md b/mdop/appv-v4/about-virtual-environments.md
index 91448a0bbb..263e550a58 100644
--- a/mdop/appv-v4/about-virtual-environments.md
+++ b/mdop/appv-v4/about-virtual-environments.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/add-app.md b/mdop/appv-v4/add-app.md
index 56e1ff83ee..be8e8866ee 100644
--- a/mdop/appv-v4/add-app.md
+++ b/mdop/appv-v4/add-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/add-package.md b/mdop/appv-v4/add-package.md
index 58a1f87769..80ed132da5 100644
--- a/mdop/appv-v4/add-package.md
+++ b/mdop/appv-v4/add-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/add-server.md b/mdop/appv-v4/add-server.md
index 3db501a538..546c6c2e3a 100644
--- a/mdop/appv-v4/add-server.md
+++ b/mdop/appv-v4/add-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/add-type.md b/mdop/appv-v4/add-type.md
index 804035833e..cfcbb9e6fb 100644
--- a/mdop/appv-v4/add-type.md
+++ b/mdop/appv-v4/add-type.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/administrators-node.md b/mdop/appv-v4/administrators-node.md
index 4c36416137..633c1da358 100644
--- a/mdop/appv-v4/administrators-node.md
+++ b/mdop/appv-v4/administrators-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/administrators-results-pane-columns.md b/mdop/appv-v4/administrators-results-pane-columns.md
index 7a62f2ddf6..57de6d3cde 100644
--- a/mdop/appv-v4/administrators-results-pane-columns.md
+++ b/mdop/appv-v4/administrators-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/administrators-results-pane.md b/mdop/appv-v4/administrators-results-pane.md
index 8432b0e579..88516a4348 100644
--- a/mdop/appv-v4/administrators-results-pane.md
+++ b/mdop/appv-v4/administrators-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md
index 055f74d65d..4eec31af83 100644
--- a/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-45-sp2-release-notes.md b/mdop/appv-v4/app-v-45-sp2-release-notes.md
index dc5d8fafe0..ab0e856ca4 100644
--- a/mdop/appv-v4/app-v-45-sp2-release-notes.md
+++ b/mdop/appv-v4/app-v-45-sp2-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -73,11 +73,11 @@ When this has been completed, install the App-V 4.5 SP2 Clients by using Setup.m
When installing Microsoft Application Error Reporting, use the following command if you are installing or upgrading to the App-V 4.5 SP2 Desktop Client:
-** msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
+**msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
Alternatively, if you are installing or upgrading to the App-V 4.5 SP2 Client for Remote Desktop Services (formerly Terminal Services), use the following command:
-** msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
+**msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
**Note**
- The APPGUID parameter references the product code of the App-V Clients that you install or upgrade. The product code is unique for each Setup.msi. You can use the Orca Database Editor or a similar tool to examine Windows Installer files and determine the product code. This step is required for all installations or upgrades to App-V 4.5 SP2.
diff --git a/mdop/appv-v4/app-v-46-release-notes.md b/mdop/appv-v4/app-v-46-release-notes.md
index efa16e1ff9..08a8ca5d64 100644
--- a/mdop/appv-v4/app-v-46-release-notes.md
+++ b/mdop/appv-v4/app-v-46-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-46-sp1-release-notes.md b/mdop/appv-v4/app-v-46-sp1-release-notes.md
index 09ea6abd40..dd7fa73a1b 100644
--- a/mdop/appv-v4/app-v-46-sp1-release-notes.md
+++ b/mdop/appv-v4/app-v-46-sp1-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-46-sp2-release-notes.md b/mdop/appv-v4/app-v-46-sp2-release-notes.md
index 9da44bdde6..227967a34a 100644
--- a/mdop/appv-v4/app-v-46-sp2-release-notes.md
+++ b/mdop/appv-v4/app-v-46-sp2-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-46-sp3-release-notes.md b/mdop/appv-v4/app-v-46-sp3-release-notes.md
index 7dc2b557c3..d62afda16b 100644
--- a/mdop/appv-v4/app-v-46-sp3-release-notes.md
+++ b/mdop/appv-v4/app-v-46-sp3-release-notes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-application-wmi-class.md b/mdop/appv-v4/app-v-application-wmi-class.md
index 7aae865573..3567a8da0e 100644
--- a/mdop/appv-v4/app-v-application-wmi-class.md
+++ b/mdop/appv-v4/app-v-application-wmi-class.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-client-registry-values-sp1.md b/mdop/appv-v4/app-v-client-registry-values-sp1.md
index 59e5ac9ae5..5edc5870e2 100644
--- a/mdop/appv-v4/app-v-client-registry-values-sp1.md
+++ b/mdop/appv-v4/app-v-client-registry-values-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-desktop-client-security.md b/mdop/appv-v4/app-v-desktop-client-security.md
index 8b1261715e..2bf8723032 100644
--- a/mdop/appv-v4/app-v-desktop-client-security.md
+++ b/mdop/appv-v4/app-v-desktop-client-security.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-installation-checklist.md b/mdop/appv-v4/app-v-installation-checklist.md
index 4b2e5c573d..68208f051d 100644
--- a/mdop/appv-v4/app-v-installation-checklist.md
+++ b/mdop/appv-v4/app-v-installation-checklist.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md b/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md
index be861b5d2c..b4fc7f6ba0 100644
--- a/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md
+++ b/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-package-wmi-class.md b/mdop/appv-v4/app-v-package-wmi-class.md
index bd91ad1751..f9efeee4ce 100644
--- a/mdop/appv-v4/app-v-package-wmi-class.md
+++ b/mdop/appv-v4/app-v-package-wmi-class.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-postinstallation-checklist.md b/mdop/appv-v4/app-v-postinstallation-checklist.md
index 87b30551fd..814811b75f 100644
--- a/mdop/appv-v4/app-v-postinstallation-checklist.md
+++ b/mdop/appv-v4/app-v-postinstallation-checklist.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/app-v-pre-installation-checklist.md b/mdop/appv-v4/app-v-pre-installation-checklist.md
index c426c83566..4de02e6032 100644
--- a/mdop/appv-v4/app-v-pre-installation-checklist.md
+++ b/mdop/appv-v4/app-v-pre-installation-checklist.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/app-v-upgrade-checklist.md b/mdop/appv-v4/app-v-upgrade-checklist.md
index fcabc76d01..942fa32de6 100644
--- a/mdop/appv-v4/app-v-upgrade-checklist.md
+++ b/mdop/appv-v4/app-v-upgrade-checklist.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/application-utilization-reportserver.md b/mdop/appv-v4/application-utilization-reportserver.md
index 29301ef748..78ed55aaad 100644
--- a/mdop/appv-v4/application-utilization-reportserver.md
+++ b/mdop/appv-v4/application-utilization-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
index fbeb7f66e6..e7bf14bd06 100644
--- a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
+++ b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md b/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md
index 5934984a4d..2f13cd29a0 100644
--- a/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md
+++ b/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-management-console-overview.md b/mdop/appv-v4/application-virtualization-client-management-console-overview.md
index 314b2e91ef..1f514c7ba3 100644
--- a/mdop/appv-v4/application-virtualization-client-management-console-overview.md
+++ b/mdop/appv-v4/application-virtualization-client-management-console-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-management-console-reference.md b/mdop/appv-v4/application-virtualization-client-management-console-reference.md
index 0d705a6dbc..e13ceabe61 100644
--- a/mdop/appv-v4/application-virtualization-client-management-console-reference.md
+++ b/mdop/appv-v4/application-virtualization-client-management-console-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md b/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md
index c00f5ef58d..a65de90286 100644
--- a/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md
+++ b/mdop/appv-v4/application-virtualization-client-management-console-roadmap.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-management-console.md b/mdop/appv-v4/application-virtualization-client-management-console.md
index 703e1fcab3..e8e5980d13 100644
--- a/mdop/appv-v4/application-virtualization-client-management-console.md
+++ b/mdop/appv-v4/application-virtualization-client-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-reference.md b/mdop/appv-v4/application-virtualization-client-reference.md
index 2363a32ee3..bc3dbef0d8 100644
--- a/mdop/appv-v4/application-virtualization-client-reference.md
+++ b/mdop/appv-v4/application-virtualization-client-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client-wmi-provider.md b/mdop/appv-v4/application-virtualization-client-wmi-provider.md
index 39b1ebb2ed..dd3b3f8eae 100644
--- a/mdop/appv-v4/application-virtualization-client-wmi-provider.md
+++ b/mdop/appv-v4/application-virtualization-client-wmi-provider.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-client.md b/mdop/appv-v4/application-virtualization-client.md
index 1756d814d7..819dd8bed1 100644
--- a/mdop/appv-v4/application-virtualization-client.md
+++ b/mdop/appv-v4/application-virtualization-client.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md
index ae15062828..4bd4d4fe49 100644
--- a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md
+++ b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-checklists.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md
index c7c5b57205..d71379b47f 100644
--- a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md
+++ b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md
index 7e6e309b9b..c09ced741d 100644
--- a/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md
+++ b/mdop/appv-v4/application-virtualization-deployment-and-upgrade-considerations.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-deployment-requirements.md b/mdop/appv-v4/application-virtualization-deployment-requirements.md
index 2d00a73d21..9baee67d59 100644
--- a/mdop/appv-v4/application-virtualization-deployment-requirements.md
+++ b/mdop/appv-v4/application-virtualization-deployment-requirements.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-glossary.md b/mdop/appv-v4/application-virtualization-glossary.md
index 441bff3d5d..3669509527 100644
--- a/mdop/appv-v4/application-virtualization-glossary.md
+++ b/mdop/appv-v4/application-virtualization-glossary.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md b/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md
index c459939b7c..9b480ae5f3 100644
--- a/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-connectivity-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-file-system-tab.md b/mdop/appv-v4/application-virtualization-properties-file-system-tab.md
index 2a116d4707..fe4acb134a 100644
--- a/mdop/appv-v4/application-virtualization-properties-file-system-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-file-system-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-general-tab.md b/mdop/appv-v4/application-virtualization-properties-general-tab.md
index 31bfb94c4b..375209e344 100644
--- a/mdop/appv-v4/application-virtualization-properties-general-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-general-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md b/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md
index 87085b92cf..ada91ffa6f 100644
--- a/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-import-search-path-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-interface-tab.md b/mdop/appv-v4/application-virtualization-properties-interface-tab.md
index 558c483a39..fedbe93af5 100644
--- a/mdop/appv-v4/application-virtualization-properties-interface-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-interface-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-properties-permissions-tab.md b/mdop/appv-v4/application-virtualization-properties-permissions-tab.md
index b80b1b8d6a..b830275c12 100644
--- a/mdop/appv-v4/application-virtualization-properties-permissions-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-permissions-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-reference.md b/mdop/appv-v4/application-virtualization-reference.md
index 974d97b6f6..11b374d4e3 100644
--- a/mdop/appv-v4/application-virtualization-reference.md
+++ b/mdop/appv-v4/application-virtualization-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-report-types.md b/mdop/appv-v4/application-virtualization-report-types.md
index 6ea5f2c5b6..3e81bdd8f6 100644
--- a/mdop/appv-v4/application-virtualization-report-types.md
+++ b/mdop/appv-v4/application-virtualization-report-types.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-command-line.md b/mdop/appv-v4/application-virtualization-sequencer-command-line.md
index a8be9c0b31..abbc660844 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-command-line.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-console-overview.md b/mdop/appv-v4/application-virtualization-sequencer-console-overview.md
index cb4b33d294..1669e0fe12 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-console-overview.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-console-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
index 22cdebc6e0..cc7fa3c205 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-online-help.md b/mdop/appv-v4/application-virtualization-sequencer-online-help.md
index ca78682274..3164dedaf1 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-online-help.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-online-help.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md
index 99a1ab2bb0..894504a132 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-options-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-overview.md b/mdop/appv-v4/application-virtualization-sequencer-overview.md
index 3c9e44e3ab..efe77f6f0e 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-overview.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-reference.md b/mdop/appv-v4/application-virtualization-sequencer-reference.md
index e68f8bfb5c..69240cc62a 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-reference.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md b/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md
index 75d1b5f1a4..36c372bd1c 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-technical-reference-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencer.md b/mdop/appv-v4/application-virtualization-sequencer.md
index 7ba4e42e1c..3f31f87b42 100644
--- a/mdop/appv-v4/application-virtualization-sequencer.md
+++ b/mdop/appv-v4/application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md
index 19fe7b1ff4..e3b9b48948 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-application-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md
index 6b96b69061..7d58727b72 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-file-type-association-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md
index a987309e5f..1a7aceec55 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-add-files-to-virtual-file-system-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md
index bea986ef57..c195624f90 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md
index fde9035b02..0fa1b9ca03 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-configure-application-page-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md
index fbbb325980..995ae0facc 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-launch-applications-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md
index cab2f6fa85..8f834f6d26 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md
index 3cefd2e341..996fff81b1 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-package-information-page-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md
index e27772099e..6a9437812a 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-sequence-package-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md
index ac297b38e4..87689f417f 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-shortcut-locations-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
index fd47fcd34c..8a53cc64f2 100644
--- a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
+++ b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
@@ -19,7 +19,7 @@ ms.date: 06/16/2016
If you plan to use a server-based deployment scenario for your Microsoft Application Virtualization environment, it is important to understand the differences between the *Application Virtualization Management Server* and the *Application Virtualization Streaming Server*. This topic describes those differences and also provides information about package delivery methods, transmission protocols, and external components that you will need to consider as you proceed with your deployment.
-## Application Virtualization Management Server
+## Application Virtualization Management Server
The Application Virtualization Management Server performs both the publishing function and the streaming function. The server publishes application icons, shortcuts, and file type associations to the App-V clients for authorized users. When user requests for applications are received the server streams that data on-demand to authorized users using RTSP or RTSPS protocols. In most configurations using this server, one or more Management Servers share a common data store for configuration and package information.
@@ -28,7 +28,7 @@ The Application Virtualization Management Servers use Active Directory groups to
Because the Application Virtualization Management Servers stream applications to end-users on demand, these servers are ideally suited for system configurations that have reliable, high-bandwidth LANs.
-## Application Virtualization Streaming Server
+## Application Virtualization Streaming Server
The Application Virtualization Streaming Server delivers the same streaming and package upgrade capabilities provided by the Management Server, but without its Active Directory or SQL Server requirements. However, the Streaming Server does not have a publishing service, nor does it have licensing or metering capabilities. The publishing service of a separate App-V Management Server is used in conjunction with the App-V Streaming Server. The App-V Streaming Server addresses the needs of businesses that want to use Application Virtualization in multiple locations with the streaming capabilities of the classic server configuration but might not have the infrastructure to support App-V Management Servers in every location.
diff --git a/mdop/appv-v4/application-virtualization-server-based-scenario.md b/mdop/appv-v4/application-virtualization-server-based-scenario.md
index e572a24620..84336dad16 100644
--- a/mdop/appv-v4/application-virtualization-server-based-scenario.md
+++ b/mdop/appv-v4/application-virtualization-server-based-scenario.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-server-management-console-reference.md b/mdop/appv-v4/application-virtualization-server-management-console-reference.md
index 24e202d492..c36cd7f3fd 100644
--- a/mdop/appv-v4/application-virtualization-server-management-console-reference.md
+++ b/mdop/appv-v4/application-virtualization-server-management-console-reference.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-server-management-help.md b/mdop/appv-v4/application-virtualization-server-management-help.md
index eebfea01e7..7ae7b3aab4 100644
--- a/mdop/appv-v4/application-virtualization-server-management-help.md
+++ b/mdop/appv-v4/application-virtualization-server-management-help.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-server.md b/mdop/appv-v4/application-virtualization-server.md
index 088cca81ff..db3ac34238 100644
--- a/mdop/appv-v4/application-virtualization-server.md
+++ b/mdop/appv-v4/application-virtualization-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-system-requirements.md b/mdop/appv-v4/application-virtualization-system-requirements.md
index 0688d51f04..d912bfff73 100644
--- a/mdop/appv-v4/application-virtualization-system-requirements.md
+++ b/mdop/appv-v4/application-virtualization-system-requirements.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md b/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md
index 0e6f43502d..3420240770 100644
--- a/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md
+++ b/mdop/appv-v4/application-virtualization-technical-publications-white-papers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-licenses-node.md b/mdop/appv-v4/applications-licenses-node.md
index e41472ad97..3bc727a6b1 100644
--- a/mdop/appv-v4/applications-licenses-node.md
+++ b/mdop/appv-v4/applications-licenses-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-licenses-results-pane-columns.md b/mdop/appv-v4/applications-licenses-results-pane-columns.md
index db5a7c01f6..9fe5dbaaf8 100644
--- a/mdop/appv-v4/applications-licenses-results-pane-columns.md
+++ b/mdop/appv-v4/applications-licenses-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-licenses-results-pane.md b/mdop/appv-v4/applications-licenses-results-pane.md
index 8ef30047ea..3339644301 100644
--- a/mdop/appv-v4/applications-licenses-results-pane.md
+++ b/mdop/appv-v4/applications-licenses-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-node-in-server-management-console.md b/mdop/appv-v4/applications-node-in-server-management-console.md
index 69d90c8bdb..0dd4066e35 100644
--- a/mdop/appv-v4/applications-node-in-server-management-console.md
+++ b/mdop/appv-v4/applications-node-in-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-node.md b/mdop/appv-v4/applications-node.md
index 872ead9d24..760ebc733a 100644
--- a/mdop/appv-v4/applications-node.md
+++ b/mdop/appv-v4/applications-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md b/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md
index f39b06792c..55a7172da2 100644
--- a/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md
+++ b/mdop/appv-v4/applications-results-pane-columns-in-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-results-pane-columns.md b/mdop/appv-v4/applications-results-pane-columns.md
index 763e99c393..c7c7c41ec3 100644
--- a/mdop/appv-v4/applications-results-pane-columns.md
+++ b/mdop/appv-v4/applications-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-results-pane-in-server-management-console.md b/mdop/appv-v4/applications-results-pane-in-server-management-console.md
index bd376a200e..ea36979d73 100644
--- a/mdop/appv-v4/applications-results-pane-in-server-management-console.md
+++ b/mdop/appv-v4/applications-results-pane-in-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/applications-results-pane.md b/mdop/appv-v4/applications-results-pane.md
index 22f28cbc17..ad52fe65d1 100644
--- a/mdop/appv-v4/applications-results-pane.md
+++ b/mdop/appv-v4/applications-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
index 98700d6626..8ac9a89ec9 100644
--- a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
+++ b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/change-history-tab-keep.md b/mdop/appv-v4/change-history-tab-keep.md
index 4347604ec5..7de068d479 100644
--- a/mdop/appv-v4/change-history-tab-keep.md
+++ b/mdop/appv-v4/change-history-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/clear-app.md b/mdop/appv-v4/clear-app.md
index c2d2aabe62..ce8c9d4c5f 100644
--- a/mdop/appv-v4/clear-app.md
+++ b/mdop/appv-v4/clear-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/clear-obj.md b/mdop/appv-v4/clear-obj.md
index d3ca15bcc0..33dfd04705 100644
--- a/mdop/appv-v4/clear-obj.md
+++ b/mdop/appv-v4/clear-obj.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-about-dialog-boxes.md b/mdop/appv-v4/client-management-console-about-dialog-boxes.md
index 97a9f99b1d..67b7ff9eaa 100644
--- a/mdop/appv-v4/client-management-console-about-dialog-boxes.md
+++ b/mdop/appv-v4/client-management-console-about-dialog-boxes.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-application-virtualization-node.md b/mdop/appv-v4/client-management-console-application-virtualization-node.md
index 5f7297aa42..9ea64120a9 100644
--- a/mdop/appv-v4/client-management-console-application-virtualization-node.md
+++ b/mdop/appv-v4/client-management-console-application-virtualization-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-application-virtualization-properties.md b/mdop/appv-v4/client-management-console-application-virtualization-properties.md
index 5da7bbfacd..85513a0959 100644
--- a/mdop/appv-v4/client-management-console-application-virtualization-properties.md
+++ b/mdop/appv-v4/client-management-console-application-virtualization-properties.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-applications-node.md b/mdop/appv-v4/client-management-console-applications-node.md
index 586ba675da..6661141ad2 100644
--- a/mdop/appv-v4/client-management-console-applications-node.md
+++ b/mdop/appv-v4/client-management-console-applications-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-file-type-associations-node.md b/mdop/appv-v4/client-management-console-file-type-associations-node.md
index f30e504b85..f0c5570f3c 100644
--- a/mdop/appv-v4/client-management-console-file-type-associations-node.md
+++ b/mdop/appv-v4/client-management-console-file-type-associations-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/client-management-console-publishing-servers-node.md b/mdop/appv-v4/client-management-console-publishing-servers-node.md
index 304a71be0d..f863e5d717 100644
--- a/mdop/appv-v4/client-management-console-publishing-servers-node.md
+++ b/mdop/appv-v4/client-management-console-publishing-servers-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/command-line-errors.md b/mdop/appv-v4/command-line-errors.md
index 4acd9ab657..3da8e0d9f9 100644
--- a/mdop/appv-v4/command-line-errors.md
+++ b/mdop/appv-v4/command-line-errors.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/command-line-parameters.md b/mdop/appv-v4/command-line-parameters.md
index b404816379..2c67aced2f 100644
--- a/mdop/appv-v4/command-line-parameters.md
+++ b/mdop/appv-v4/command-line-parameters.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/completion-page-package-accelerator.md b/mdop/appv-v4/completion-page-package-accelerator.md
index 27a3c7d86a..7542c71906 100644
--- a/mdop/appv-v4/completion-page-package-accelerator.md
+++ b/mdop/appv-v4/completion-page-package-accelerator.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/completion-page.md b/mdop/appv-v4/completion-page.md
index 185a46fbcb..c733a56d5d 100644
--- a/mdop/appv-v4/completion-page.md
+++ b/mdop/appv-v4/completion-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-app.md b/mdop/appv-v4/configure-app.md
index b79e177839..407824e6a0 100644
--- a/mdop/appv-v4/configure-app.md
+++ b/mdop/appv-v4/configure-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-package.md b/mdop/appv-v4/configure-package.md
index 140a076da1..2bccdbf61d 100644
--- a/mdop/appv-v4/configure-package.md
+++ b/mdop/appv-v4/configure-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-server.md b/mdop/appv-v4/configure-server.md
index 80234b1cb8..ed7f5ca4d8 100644
--- a/mdop/appv-v4/configure-server.md
+++ b/mdop/appv-v4/configure-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-software-page--learn-more-.md b/mdop/appv-v4/configure-software-page--learn-more-.md
index af0b0a1d3a..87abcb67dd 100644
--- a/mdop/appv-v4/configure-software-page--learn-more-.md
+++ b/mdop/appv-v4/configure-software-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-software-page-app-v-46-sp1.md b/mdop/appv-v4/configure-software-page-app-v-46-sp1.md
index a34c98a052..7d201afb8d 100644
--- a/mdop/appv-v4/configure-software-page-app-v-46-sp1.md
+++ b/mdop/appv-v4/configure-software-page-app-v-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configure-type.md b/mdop/appv-v4/configure-type.md
index e835038f35..42307e58cb 100644
--- a/mdop/appv-v4/configure-type.md
+++ b/mdop/appv-v4/configure-type.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md b/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md
index 13366bf24f..1fe3f100c5 100644
--- a/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md
+++ b/mdop/appv-v4/configuring-app-v-administration-for-a-distributed-environment.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-app-v-for-secure-administration.md b/mdop/appv-v4/configuring-app-v-for-secure-administration.md
index c7cba41d0a..a71fffa3c7 100644
--- a/mdop/appv-v4/configuring-app-v-for-secure-administration.md
+++ b/mdop/appv-v4/configuring-app-v-for-secure-administration.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md b/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md
index 5c2c349db4..fe8ec7d8bc 100644
--- a/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md
+++ b/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md b/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md
index 2a4167506b..86f2485e5c 100644
--- a/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md
+++ b/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md b/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md
index 5465035643..7999d55e32 100644
--- a/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md
+++ b/mdop/appv-v4/configuring-certificates-to-support-the-app-v-web-management-service.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-iis-for-secure-streaming.md b/mdop/appv-v4/configuring-iis-for-secure-streaming.md
index 7257a99ab0..1e5c0be5b8 100644
--- a/mdop/appv-v4/configuring-iis-for-secure-streaming.md
+++ b/mdop/appv-v4/configuring-iis-for-secure-streaming.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md b/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md
index 96a4b5539a..022b096208 100644
--- a/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md
+++ b/mdop/appv-v4/configuring-management-or-streaming-server-for-secure-communications-post-installation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md b/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md
index 1bd95ead94..92700f1f2a 100644
--- a/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md
+++ b/mdop/appv-v4/configuring-prerequisite-groups-in-active-directory-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md b/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md
index edc3ef0f37..f8ec256bdd 100644
--- a/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md
+++ b/mdop/appv-v4/configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md b/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md
index d464360774..571b263abc 100644
--- a/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/configuring-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md b/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md
index e30320dafe..688c137ae2 100644
--- a/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md
+++ b/mdop/appv-v4/configuring-the-firewall-for-the-app-v-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/configuring-windows-firewall-for-app-v.md b/mdop/appv-v4/configuring-windows-firewall-for-app-v.md
index 73934119ca..f97d412295 100644
--- a/mdop/appv-v4/configuring-windows-firewall-for-app-v.md
+++ b/mdop/appv-v4/configuring-windows-firewall-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md b/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md
index fc96660a9f..11cb5f957c 100644
--- a/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md
+++ b/mdop/appv-v4/create-new-package-wizard---appv-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-package-accelerator--review-errors--page.md b/mdop/appv-v4/create-package-accelerator--review-errors--page.md
index 8d75ae4c4d..63cdf9f7e1 100644
--- a/mdop/appv-v4/create-package-accelerator--review-errors--page.md
+++ b/mdop/appv-v4/create-package-accelerator--review-errors--page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-package-accelerator-page.md b/mdop/appv-v4/create-package-accelerator-page.md
index 375a138612..2d86172bf5 100644
--- a/mdop/appv-v4/create-package-accelerator-page.md
+++ b/mdop/appv-v4/create-package-accelerator-page.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md b/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md
index 71a197fc05..65aba0176a 100644
--- a/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md
+++ b/mdop/appv-v4/create-package-accelerator-wizard--appv-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/create-package-page--app-v-46-sp1.md b/mdop/appv-v4/create-package-page--app-v-46-sp1.md
index 11e4b06c98..cfd5f7b2fc 100644
--- a/mdop/appv-v4/create-package-page--app-v-46-sp1.md
+++ b/mdop/appv-v4/create-package-page--app-v-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/customize-page--learn-more-.md b/mdop/appv-v4/customize-page--learn-more-.md
index 6a0e3c74c1..0bed35f090 100644
--- a/mdop/appv-v4/customize-page--learn-more-.md
+++ b/mdop/appv-v4/customize-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md
index e4c834e85d..a4d6ce5126 100644
--- a/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/defender-running-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md
index 07fbba35bd..0fc1fd41be 100644
--- a/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/defrag-running-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-app.md b/mdop/appv-v4/delete-app.md
index 0e41d65f85..a5a5189fe4 100644
--- a/mdop/appv-v4/delete-app.md
+++ b/mdop/appv-v4/delete-app.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-obj.md b/mdop/appv-v4/delete-obj.md
index 6b5acf34df..e0e1085ae9 100644
--- a/mdop/appv-v4/delete-obj.md
+++ b/mdop/appv-v4/delete-obj.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-package.md b/mdop/appv-v4/delete-package.md
index 925e63a5c9..f89b69d461 100644
--- a/mdop/appv-v4/delete-package.md
+++ b/mdop/appv-v4/delete-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-server.md b/mdop/appv-v4/delete-server.md
index 4f021d2a66..7425b0751b 100644
--- a/mdop/appv-v4/delete-server.md
+++ b/mdop/appv-v4/delete-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/delete-type.md b/mdop/appv-v4/delete-type.md
index d0a905b4ee..62cbd9b1c7 100644
--- a/mdop/appv-v4/delete-type.md
+++ b/mdop/appv-v4/delete-type.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/deployment-tab.md b/mdop/appv-v4/deployment-tab.md
index d6e1eff0b6..0b872aa0ce 100644
--- a/mdop/appv-v4/deployment-tab.md
+++ b/mdop/appv-v4/deployment-tab.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/determine-your-publishing-method.md b/mdop/appv-v4/determine-your-publishing-method.md
index 1883661846..683549aa16 100644
--- a/mdop/appv-v4/determine-your-publishing-method.md
+++ b/mdop/appv-v4/determine-your-publishing-method.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/determine-your-streaming-method.md b/mdop/appv-v4/determine-your-streaming-method.md
index 290ebfd16b..eac83fa0c2 100644
--- a/mdop/appv-v4/determine-your-streaming-method.md
+++ b/mdop/appv-v4/determine-your-streaming-method.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md b/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md
index 9ff9753e82..a61b7c716f 100644
--- a/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md
+++ b/mdop/appv-v4/dialog-boxes--appv-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/disconnected-operation-mode.md b/mdop/appv-v4/disconnected-operation-mode.md
index dd0d4d4240..b123b249f9 100644
--- a/mdop/appv-v4/disconnected-operation-mode.md
+++ b/mdop/appv-v4/disconnected-operation-mode.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md b/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md
index d0ea1928a7..7abf4bd3a7 100644
--- a/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md
+++ b/mdop/appv-v4/domain-joined-and-non-domain-joined-clients.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/edit-shortcuts-learn-more.md b/mdop/appv-v4/edit-shortcuts-learn-more.md
index ace37c7243..830abacbd3 100644
--- a/mdop/appv-v4/edit-shortcuts-learn-more.md
+++ b/mdop/appv-v4/edit-shortcuts-learn-more.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
index 51c635b149..6173dbdd7a 100644
--- a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
+++ b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/electronic-software-distribution-based-scenario.md b/mdop/appv-v4/electronic-software-distribution-based-scenario.md
index 2c8df5d6cd..d99c4ce90f 100644
--- a/mdop/appv-v4/electronic-software-distribution-based-scenario.md
+++ b/mdop/appv-v4/electronic-software-distribution-based-scenario.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/exclusion-item-dialog-box.md b/mdop/appv-v4/exclusion-item-dialog-box.md
index 3038ca2a54..250a430862 100644
--- a/mdop/appv-v4/exclusion-item-dialog-box.md
+++ b/mdop/appv-v4/exclusion-item-dialog-box.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/exclusion-items-tab-keep.md b/mdop/appv-v4/exclusion-items-tab-keep.md
index 03cef6b8c2..e4dcff97c2 100644
--- a/mdop/appv-v4/exclusion-items-tab-keep.md
+++ b/mdop/appv-v4/exclusion-items-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md
index 5e81d25347..a08aea1e5d 100644
--- a/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/failed-launch-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-association-results-pane-columns.md b/mdop/appv-v4/file-type-association-results-pane-columns.md
index 553b985e35..1cdc78f1cc 100644
--- a/mdop/appv-v4/file-type-association-results-pane-columns.md
+++ b/mdop/appv-v4/file-type-association-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-association-results-pane.md b/mdop/appv-v4/file-type-association-results-pane.md
index c390505e3b..3b6a32eb71 100644
--- a/mdop/appv-v4/file-type-association-results-pane.md
+++ b/mdop/appv-v4/file-type-association-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-associations-node-client.md b/mdop/appv-v4/file-type-associations-node-client.md
index eb1add60af..4182a0dbbf 100644
--- a/mdop/appv-v4/file-type-associations-node-client.md
+++ b/mdop/appv-v4/file-type-associations-node-client.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-associations-node.md b/mdop/appv-v4/file-type-associations-node.md
index a3c15d61a1..f739cf0208 100644
--- a/mdop/appv-v4/file-type-associations-node.md
+++ b/mdop/appv-v4/file-type-associations-node.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-associations-results-pane-columns.md b/mdop/appv-v4/file-type-associations-results-pane-columns.md
index 328719b89c..1458316d50 100644
--- a/mdop/appv-v4/file-type-associations-results-pane-columns.md
+++ b/mdop/appv-v4/file-type-associations-results-pane-columns.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/file-type-associations-results-pane.md b/mdop/appv-v4/file-type-associations-results-pane.md
index b92248b3ce..b1f2badd96 100644
--- a/mdop/appv-v4/file-type-associations-results-pane.md
+++ b/mdop/appv-v4/file-type-associations-results-pane.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md
index 3d67e35b05..c994c8d5e0 100644
--- a/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/files-excluded-page-dialog-box--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/files-tab-keep.md b/mdop/appv-v4/files-tab-keep.md
index 3c616264a1..aaeebd7805 100644
--- a/mdop/appv-v4/files-tab-keep.md
+++ b/mdop/appv-v4/files-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/gathering-information-page--learn-more-.md b/mdop/appv-v4/gathering-information-page--learn-more-.md
index c6c6f38d8a..2fb6c6cc6f 100644
--- a/mdop/appv-v4/gathering-information-page--learn-more-.md
+++ b/mdop/appv-v4/gathering-information-page--learn-more-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/general-tab-keep.md b/mdop/appv-v4/general-tab-keep.md
index 4df61af9be..58ae9340d1 100644
--- a/mdop/appv-v4/general-tab-keep.md
+++ b/mdop/appv-v4/general-tab-keep.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/guidance-page-app-v-46-sp1.md b/mdop/appv-v4/guidance-page-app-v-46-sp1.md
index 879ece17d3..6af524a1e1 100644
--- a/mdop/appv-v4/guidance-page-app-v-46-sp1.md
+++ b/mdop/appv-v4/guidance-page-app-v-46-sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/help.md b/mdop/appv-v4/help.md
index 287e3fa741..1b14a81bf2 100644
--- a/mdop/appv-v4/help.md
+++ b/mdop/appv-v4/help.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-file-type-association.md b/mdop/appv-v4/how-to-add-a-file-type-association.md
index 046d2f8f0d..bd5e1a7cb5 100644
--- a/mdop/appv-v4/how-to-add-a-file-type-association.md
+++ b/mdop/appv-v4/how-to-add-a-file-type-association.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md b/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md
index 8f7b5ed7f5..6b9c002b72 100644
--- a/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-add-a-package-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-package-version.md b/mdop/appv-v4/how-to-add-a-package-version.md
index b2aba5778b..6a4b7c4372 100644
--- a/mdop/appv-v4/how-to-add-a-package-version.md
+++ b/mdop/appv-v4/how-to-add-a-package-version.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-package.md b/mdop/appv-v4/how-to-add-a-package.md
index 4e55ae9e08..b9f409c2cb 100644
--- a/mdop/appv-v4/how-to-add-a-package.md
+++ b/mdop/appv-v4/how-to-add-a-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-a-server.md b/mdop/appv-v4/how-to-add-a-server.md
index 4649e67c3f..0fb467e68f 100644
--- a/mdop/appv-v4/how-to-add-a-server.md
+++ b/mdop/appv-v4/how-to-add-a-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-an-administrator-group.md b/mdop/appv-v4/how-to-add-an-administrator-group.md
index 193e0366bd..27067fbc52 100644
--- a/mdop/appv-v4/how-to-add-an-administrator-group.md
+++ b/mdop/appv-v4/how-to-add-an-administrator-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-add-an-application.md b/mdop/appv-v4/how-to-add-an-application.md
index 71dbe1c7f8..760c7f8540 100644
--- a/mdop/appv-v4/how-to-add-an-application.md
+++ b/mdop/appv-v4/how-to-add-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md b/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md
index c1ecf63c7e..2616fee08d 100644
--- a/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md b/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md
index 4ac9accd65..ca8c706037 100644
--- a/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md
index ae25bdef3b..f24d17b75f 100644
--- a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md
+++ b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md
index 2d0a95bbfd..9e1d52e3fc 100644
--- a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md
+++ b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md b/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md
index ffb07d7155..84d62ca579 100644
--- a/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md
+++ b/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-branch-a-package.md b/mdop/appv-v4/how-to-branch-a-package.md
index 52221d9dd2..9b2ab8c069 100644
--- a/mdop/appv-v4/how-to-branch-a-package.md
+++ b/mdop/appv-v4/how-to-branch-a-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md b/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md
index d5b2380a20..32dfc28858 100644
--- a/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md
+++ b/mdop/appv-v4/how-to-cancel-loading-of-virtual-applications-from-the-desktop-notification-area.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-an-application-icon.md b/mdop/appv-v4/how-to-change-an-application-icon.md
index 1f2881c4f8..9e9dbf95b0 100644
--- a/mdop/appv-v4/how-to-change-an-application-icon.md
+++ b/mdop/appv-v4/how-to-change-an-application-icon.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-an-application-iconserver.md b/mdop/appv-v4/how-to-change-an-application-iconserver.md
index 7f85c76a15..19445774d2 100644
--- a/mdop/appv-v4/how-to-change-an-application-iconserver.md
+++ b/mdop/appv-v4/how-to-change-an-application-iconserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-deployment-properties.md b/mdop/appv-v4/how-to-change-deployment-properties.md
index 66c8d2fd96..f9eb0b5d3f 100644
--- a/mdop/appv-v4/how-to-change-deployment-properties.md
+++ b/mdop/appv-v4/how-to-change-deployment-properties.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-import-search-paths.md b/mdop/appv-v4/how-to-change-import-search-paths.md
index 928852dfa1..fef1c273d9 100644
--- a/mdop/appv-v4/how-to-change-import-search-paths.md
+++ b/mdop/appv-v4/how-to-change-import-search-paths.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-package-properties.md b/mdop/appv-v4/how-to-change-package-properties.md
index abe69abeb3..565e4c27e9 100644
--- a/mdop/appv-v4/how-to-change-package-properties.md
+++ b/mdop/appv-v4/how-to-change-package-properties.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md b/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md
index 8346a0eb10..0aed8a88e3 100644
--- a/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md
+++ b/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md b/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md
index c981b9ffd1..4c3247ee57 100644
--- a/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md
+++ b/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-server-cache-size.md b/mdop/appv-v4/how-to-change-the-server-cache-size.md
index 198ee9a625..5b61e12a03 100644
--- a/mdop/appv-v4/how-to-change-the-server-cache-size.md
+++ b/mdop/appv-v4/how-to-change-the-server-cache-size.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md b/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md
index 8bfcb4dcb4..baeeef43e1 100644
--- a/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md
+++ b/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-server-port.md b/mdop/appv-v4/how-to-change-the-server-port.md
index 3a807f2d68..14d1933fb9 100644
--- a/mdop/appv-v4/how-to-change-the-server-port.md
+++ b/mdop/appv-v4/how-to-change-the-server-port.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md b/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md
index 7fe070657a..db72c07843 100644
--- a/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md
+++ b/mdop/appv-v4/how-to-change-the-size-of-the-filesystem-cache.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-change-user-access-permissions.md b/mdop/appv-v4/how-to-change-user-access-permissions.md
index ef7947df2b..e935af3cad 100644
--- a/mdop/appv-v4/how-to-change-user-access-permissions.md
+++ b/mdop/appv-v4/how-to-change-user-access-permissions.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-clear-an-application.md b/mdop/appv-v4/how-to-clear-an-application.md
index c738ca904d..2fba3e47a3 100644
--- a/mdop/appv-v4/how-to-clear-an-application.md
+++ b/mdop/appv-v4/how-to-clear-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
index 801b2d13bc..0a694a6795 100644
--- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
+++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -156,7 +156,7 @@ Instead of changing the AppFS key FILENAME value every time that a new cache fil
3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled.
- ** fsutil behavior set SymlinkEvaluation R2R:1**
+ **fsutil behavior set SymlinkEvaluation R2R:1**
**Note**
On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.
diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
index 2ee211e811..8fd997eafd 100644
--- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
+++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
@@ -167,7 +167,7 @@ Instead of modifying the AppFS key FILENAME value every time that a new cache fi
3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled.
- ** fsutil behavior set SymlinkEvaluation R2R:1**
+ **fsutil behavior set SymlinkEvaluation R2R:1**
**Note**
On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.
diff --git a/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md b/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md
index ec3efe7a1a..c14a8c48a6 100644
--- a/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md
+++ b/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md b/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md
index 978aefac2f..2b4a53819a 100644
--- a/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md
+++ b/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md b/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md
index 4f60659a53..1c79254fd6 100644
--- a/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md
+++ b/mdop/appv-v4/how-to-configure-servers-for-esd-based-deployment.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md b/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md
index 9fb56f0792..5a4d8e1932 100644
--- a/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md
+++ b/mdop/appv-v4/how-to-configure-servers-for-server-based-deployment.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md b/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md
index 7f8b6db82f..c668b902eb 100644
--- a/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md
+++ b/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md b/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md
index 05d2bc0b77..afe7d0a2da 100644
--- a/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md
+++ b/mdop/appv-v4/how-to-configure-streaming-server-security-post-installation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md b/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md
index 150d93d6c9..03e3ac7409 100644
--- a/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md b/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md
index 023d8ba9ba..615d3a60b6 100644
--- a/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md
+++ b/mdop/appv-v4/how-to-configure-the-app-v-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md b/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md
index 1b477e3c0e..85ccb5fd59 100644
--- a/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md
+++ b/mdop/appv-v4/how-to-configure-the-app-v-system-for-package-upgrade.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md
index 9dc834b4ad..5dab5d7b35 100644
--- a/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md
+++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-client-settings-manually.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md
index bd27ed1708..8225fe37da 100644
--- a/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md
+++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md
index 9f63f76ebb..8671c8e401 100644
--- a/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md
+++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md b/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md
index 54a3e12931..04f4c05542 100644
--- a/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md
+++ b/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md b/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md
index 08fb9b8dfb..fe5c5331d3 100644
--- a/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md
+++ b/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md b/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md
index ec298ac0dd..ee1c92f759 100644
--- a/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md
+++ b/mdop/appv-v4/how-to-configure-the-client-for-mit-kerberos-realm-support.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md b/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md
index 2dcd0fc57b..951cbbb2d7 100644
--- a/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md
+++ b/mdop/appv-v4/how-to-configure-the-client-in-the-application-virtualization-client-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-client-log-file.md b/mdop/appv-v4/how-to-configure-the-client-log-file.md
index 20b326dfa4..e4a46cd129 100644
--- a/mdop/appv-v4/how-to-configure-the-client-log-file.md
+++ b/mdop/appv-v4/how-to-configure-the-client-log-file.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-file-server.md b/mdop/appv-v4/how-to-configure-the-file-server.md
index 812c78cb2c..c9d01b4dba 100644
--- a/mdop/appv-v4/how-to-configure-the-file-server.md
+++ b/mdop/appv-v4/how-to-configure-the-file-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-server-for-iis.md b/mdop/appv-v4/how-to-configure-the-server-for-iis.md
index 76119811be..4290cc9bf5 100644
--- a/mdop/appv-v4/how-to-configure-the-server-for-iis.md
+++ b/mdop/appv-v4/how-to-configure-the-server-for-iis.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md b/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md
index 04e4ec6328..fec2c858fe 100644
--- a/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md
+++ b/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-user-permissions.md b/mdop/appv-v4/how-to-configure-user-permissions.md
index 31a1894e7b..88e1049577 100644
--- a/mdop/appv-v4/how-to-configure-user-permissions.md
+++ b/mdop/appv-v4/how-to-configure-user-permissions.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md b/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md
index 59c1e3b44c..3ec2889648 100644
--- a/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md
+++ b/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md b/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md
index 7578063d2b..7e516a89fd 100644
--- a/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md
+++ b/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md b/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md
index 9321f73949..8368dd56f8 100644
--- a/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md
+++ b/mdop/appv-v4/how-to-configure-windows-server-2008-for-app-v-management-servers.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md b/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md
index 097bf0d4b7..169761167e 100644
--- a/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md
+++ b/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-create-a-reportserver.md b/mdop/appv-v4/how-to-create-a-reportserver.md
index 134036f18f..abdfd7298e 100644
--- a/mdop/appv-v4/how-to-create-a-reportserver.md
+++ b/mdop/appv-v4/how-to-create-a-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-a-server-group.md b/mdop/appv-v4/how-to-create-a-server-group.md
index fa407f994a..bc12c0bd0a 100644
--- a/mdop/appv-v4/how-to-create-a-server-group.md
+++ b/mdop/appv-v4/how-to-create-a-server-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md b/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md
index 249ed7b0e1..23e2b3570b 100644
--- a/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md
+++ b/mdop/appv-v4/how-to-create-a-virtual-environment-for-a-web-based-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md b/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md
index 55143333bd..26aae4b1ea 100644
--- a/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-an-application-group.md b/mdop/appv-v4/how-to-create-an-application-group.md
index 4144e95e2f..ac2fba82be 100644
--- a/mdop/appv-v4/how-to-create-an-application-group.md
+++ b/mdop/appv-v4/how-to-create-an-application-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-an-application-license-group.md b/mdop/appv-v4/how-to-create-an-application-license-group.md
index e1c6567c65..76da2668b9 100644
--- a/mdop/appv-v4/how-to-create-an-application-license-group.md
+++ b/mdop/appv-v4/how-to-create-an-application-license-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md b/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md
index 522662b28d..bf6769fb47 100644
--- a/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md b/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md
index c169abd147..c4db220dcf 100644
--- a/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md
+++ b/mdop/appv-v4/how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-the-package-root-directory.md b/mdop/appv-v4/how-to-create-the-package-root-directory.md
index 01ba72181f..8e00793ee2 100644
--- a/mdop/appv-v4/how-to-create-the-package-root-directory.md
+++ b/mdop/appv-v4/how-to-create-the-package-root-directory.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md b/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md
index 6b2e6bc05c..b745ddf86a 100644
--- a/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md
+++ b/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md b/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md
index 49f4a3afc7..f1e04f6d1e 100644
--- a/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-customize-an-application-virtualization-system-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-a-file-type-association.md b/mdop/appv-v4/how-to-delete-a-file-type-association.md
index 8f12921951..16c96b8513 100644
--- a/mdop/appv-v4/how-to-delete-a-file-type-association.md
+++ b/mdop/appv-v4/how-to-delete-a-file-type-association.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-a-package-version.md b/mdop/appv-v4/how-to-delete-a-package-version.md
index 62137f64ca..c1d92e1264 100644
--- a/mdop/appv-v4/how-to-delete-a-package-version.md
+++ b/mdop/appv-v4/how-to-delete-a-package-version.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-a-packageserver.md b/mdop/appv-v4/how-to-delete-a-packageserver.md
index c63d2eaf35..7f2bd13bae 100644
--- a/mdop/appv-v4/how-to-delete-a-packageserver.md
+++ b/mdop/appv-v4/how-to-delete-a-packageserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-a-reportserver.md b/mdop/appv-v4/how-to-delete-a-reportserver.md
index 2b8a517f7c..14ac327bbf 100644
--- a/mdop/appv-v4/how-to-delete-a-reportserver.md
+++ b/mdop/appv-v4/how-to-delete-a-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md b/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md
index 21e583e5b2..1fdb2c31c6 100644
--- a/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-an-administrator-group.md b/mdop/appv-v4/how-to-delete-an-administrator-group.md
index c825492416..d538220e01 100644
--- a/mdop/appv-v4/how-to-delete-an-administrator-group.md
+++ b/mdop/appv-v4/how-to-delete-an-administrator-group.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-an-application-server.md b/mdop/appv-v4/how-to-delete-an-application-server.md
index 247163a1de..55f77b412f 100644
--- a/mdop/appv-v4/how-to-delete-an-application-server.md
+++ b/mdop/appv-v4/how-to-delete-an-application-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-delete-an-application.md b/mdop/appv-v4/how-to-delete-an-application.md
index 4ac8548398..c1e441347c 100644
--- a/mdop/appv-v4/how-to-delete-an-application.md
+++ b/mdop/appv-v4/how-to-delete-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-deny-access-to-an-application.md b/mdop/appv-v4/how-to-deny-access-to-an-application.md
index e1a9045654..1dd6b7fdf5 100644
--- a/mdop/appv-v4/how-to-deny-access-to-an-application.md
+++ b/mdop/appv-v4/how-to-deny-access-to-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md b/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md
index 2c88ccb0f0..6fda63581a 100644
--- a/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md
+++ b/mdop/appv-v4/how-to-determine-whether-to-edit-or-upgrade-a-virtual-application-package.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md b/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md
index 140d19db20..5394ec7bb3 100644
--- a/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md b/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md
index 07a83858b4..fc1d34c067 100644
--- a/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md
+++ b/mdop/appv-v4/how-to-disable-or-modify-disconnected-operation-mode-settings.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md b/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md
index b92d34564c..822fe72dd9 100644
--- a/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md
+++ b/mdop/appv-v4/how-to-edit-an-existing-virtual-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md b/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md
index 6930a3459d..41b7631eb1 100644
--- a/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md
+++ b/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-edit-an-osd-file.md b/mdop/appv-v4/how-to-edit-an-osd-file.md
index e150953185..6f19e9a7b7 100644
--- a/mdop/appv-v4/how-to-edit-an-osd-file.md
+++ b/mdop/appv-v4/how-to-edit-an-osd-file.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md b/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md
index 25d48601e0..480c2d8d34 100644
--- a/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md
+++ b/mdop/appv-v4/how-to-exit-the-app-v-client-from-the-notification-area.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-export-a-reportserver.md b/mdop/appv-v4/how-to-export-a-reportserver.md
index 6580474502..f7eb70e1aa 100644
--- a/mdop/appv-v4/how-to-export-a-reportserver.md
+++ b/mdop/appv-v4/how-to-export-a-reportserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-grant-access-to-an-application.md b/mdop/appv-v4/how-to-grant-access-to-an-application.md
index 697afb607b..89a6cf8277 100644
--- a/mdop/appv-v4/how-to-grant-access-to-an-application.md
+++ b/mdop/appv-v4/how-to-grant-access-to-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-import-an-application.md b/mdop/appv-v4/how-to-import-an-application.md
index ecaec1c2de..2fc950a033 100644
--- a/mdop/appv-v4/how-to-import-an-application.md
+++ b/mdop/appv-v4/how-to-import-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-import-an-applicationserver.md b/mdop/appv-v4/how-to-import-an-applicationserver.md
index 24b4bce0dd..66852c68c1 100644
--- a/mdop/appv-v4/how-to-import-an-applicationserver.md
+++ b/mdop/appv-v4/how-to-import-an-applicationserver.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-a-database.md b/mdop/appv-v4/how-to-install-a-database.md
index 884793e4a7..da440a18ff 100644
--- a/mdop/appv-v4/how-to-install-a-database.md
+++ b/mdop/appv-v4/how-to-install-a-database.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md b/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md
index 83e7e4b7d1..ba2ed5bf33 100644
--- a/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md
+++ b/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-and-configure-the-default-application.md b/mdop/appv-v4/how-to-install-and-configure-the-default-application.md
index c5bb0dbe54..529a24aadc 100644
--- a/mdop/appv-v4/how-to-install-and-configure-the-default-application.md
+++ b/mdop/appv-v4/how-to-install-and-configure-the-default-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-application-virtualization-management-server.md b/mdop/appv-v4/how-to-install-application-virtualization-management-server.md
index 0dd33e3482..9fff92bc25 100644
--- a/mdop/appv-v4/how-to-install-application-virtualization-management-server.md
+++ b/mdop/appv-v4/how-to-install-application-virtualization-management-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md
index e2f80c72dd..37596836cd 100644
--- a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md
+++ b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupexe-new.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md
index f5b25c5517..5485cfe6f6 100644
--- a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md
+++ b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md b/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md
index d9c4fb364b..5cf9e908d7 100644
--- a/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md b/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md
index 0cd8731539..b6facad249 100644
--- a/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md
+++ b/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md b/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md
index ab7c6ff130..69e3331059 100644
--- a/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md
+++ b/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-management-console.md b/mdop/appv-v4/how-to-install-the-management-console.md
index 1f584040a8..df74e0f969 100644
--- a/mdop/appv-v4/how-to-install-the-management-console.md
+++ b/mdop/appv-v4/how-to-install-the-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-management-web-service.md b/mdop/appv-v4/how-to-install-the-management-web-service.md
index 66cdda0365..72f0d59456 100644
--- a/mdop/appv-v4/how-to-install-the-management-web-service.md
+++ b/mdop/appv-v4/how-to-install-the-management-web-service.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md b/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md
index ce132d4f49..ea900036a2 100644
--- a/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-sequencer.md b/mdop/appv-v4/how-to-install-the-sequencer.md
index 411a6c5b05..decce9699a 100644
--- a/mdop/appv-v4/how-to-install-the-sequencer.md
+++ b/mdop/appv-v4/how-to-install-the-sequencer.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-install-the-servers-and-system-components.md b/mdop/appv-v4/how-to-install-the-servers-and-system-components.md
index a5fa8f0893..d8d537d0e8 100644
--- a/mdop/appv-v4/how-to-install-the-servers-and-system-components.md
+++ b/mdop/appv-v4/how-to-install-the-servers-and-system-components.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-load-files-and-packages.md b/mdop/appv-v4/how-to-load-files-and-packages.md
index 21dc909c70..f70cbf6dc3 100644
--- a/mdop/appv-v4/how-to-load-files-and-packages.md
+++ b/mdop/appv-v4/how-to-load-files-and-packages.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-load-or-unload-an-application.md b/mdop/appv-v4/how-to-load-or-unload-an-application.md
index 94fce4808b..5dd97091a1 100644
--- a/mdop/appv-v4/how-to-load-or-unload-an-application.md
+++ b/mdop/appv-v4/how-to-load-or-unload-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md b/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md
index 6443110c20..c089ce97ab 100644
--- a/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md
+++ b/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-lock-or-unlock-an-application.md b/mdop/appv-v4/how-to-lock-or-unlock-an-application.md
index 8913276ecd..1b2b033d69 100644
--- a/mdop/appv-v4/how-to-lock-or-unlock-an-application.md
+++ b/mdop/appv-v4/how-to-lock-or-unlock-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md
index 67680da087..a48df6078f 100644
--- a/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md
index 279a9aaa89..89c0f06825 100644
--- a/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md b/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md
index 5c28780e12..caa426f56a 100644
--- a/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md
+++ b/mdop/appv-v4/how-to-manage-applications-in-the-client-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md
index 636e572699..bfae14c37b 100644
--- a/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-applications-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md
index 59097cac45..920445161f 100644
--- a/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-packages-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md
index a8f2d9bbe5..cfd2debb42 100644
--- a/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-reports-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
diff --git a/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md
index 2717afbee8..9287af4caa 100644
--- a/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-servers-in-the-server-management-console.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md b/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md
index 1f9c00705d..b3050789b3 100644
--- a/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md
+++ b/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md b/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md
index 3002ee21c9..c88c2c0a2e 100644
--- a/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-manage-virtual-applications-by-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-manually.md b/mdop/appv-v4/how-to-manage-virtual-applications-manually.md
index 9b3d5d2637..1e5aa136e6 100644
--- a/mdop/appv-v4/how-to-manage-virtual-applications-manually.md
+++ b/mdop/appv-v4/how-to-manage-virtual-applications-manually.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md b/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md
index 4048f3c6ba..49b1512034 100644
--- a/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-manage-virtual-applications-using-the-command-line.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manually-add-an-application.md b/mdop/appv-v4/how-to-manually-add-an-application.md
index 965954b973..b503780e0d 100644
--- a/mdop/appv-v4/how-to-manually-add-an-application.md
+++ b/mdop/appv-v4/how-to-manually-add-an-application.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 06/16/2016
---
diff --git a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
index 014d912472..3df7f2a0ee 100644
--- a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
+++ b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
@@ -9,56 +9,46 @@ ms.author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.prod: w8
+ms.prod: w10
ms.date: 08/30/2016
---
-
# How to Manually Install the Application Virtualization Client
-
There are two types of Application Virtualization Client components: the Application Virtualization Desktop Client, which is designed for installation on desktop computers, and the Application Virtualization Client for Remote Desktop Services (formerly Terminal Services), which you can install on Remote Desktop Session Host (RD Session Host) servers . Although the two client installer programs are different, you can use the following procedure to manually install either the Application Virtualization Desktop Client on a single desktop computer or the Application Virtualization Client for Remote Desktop Services on a single RD Session Host server. In a production environment, you most likely will install the Application Virtualization Desktop Client on multiple desktop computers with an automated scripted installation process. For information about how to install multiple clients by using a scripted installation process, see [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md).
**Note**
-1. If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md).
-
-2. If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder.
-
+1. If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md).
+2. If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder.
**Note**
For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL is installed in the Windows\\system32 directory. If the App-V client is installed on a 64-bit system, SFTLDR\_WOW64.DLL is installed in the Windows\\SysWOW64 directory.
-
-
**To manually install Application Virtualization Desktop Client**
-1. After you have obtained the correct installer archive file and saved it to your computer, make sure you are logged on with an account having administrator rights on the computer and double-click the file to expand the archive.
+1. After you have obtained the correct installer archive file and saved it to your computer, make sure you are logged on with an account having administrator rights on the computer and double-click the file to expand the archive.
-2. Choose the folder in which to save the files, and then open the folder after the files have been copied to it.
+2. Choose the folder in which to save the files, and then open the folder after the files have been copied to it.
-3. Review the Release Notes if appropriate.
+3. Review the Release Notes if appropriate.
-4. Browse to find the setup.exe file, and double-click setup.exe to start the installation.
+4. Browse to find the setup.exe file, and double-click setup.exe to start the installation.
-5. The wizard checks the system to ensure that all prerequisite software is installed, and if any of the following are missing, the wizard will automatically prompt you to install them:
+5. The wizard checks the system to ensure that all prerequisite software is installed, and if any of the following are missing, the wizard will automatically prompt you to install them:
- - Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)
+ - Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)
- - Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)
+ - Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)
- - Microsoft Application Error Reporting
+ - Microsoft Application Error Reporting
**Note**
For App-V version 4.6 and later, the wizard will also install Microsoft Visual C++ 2008 SP1 Redistributable Package (x86).
- For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see
-
+
- Use as a walk-up port for plugging in peripherals such as thumb-drives. Guest ports are located on each side of the device (4).
-
NOTE: This is the recommended port for connecting an external camera. Additional camera mount features are incorporated into the design to help support retention of attached cameras.
- NOTE: TouchBack and video ingest are not supported on these ports. | Type C
- 15 W Port (5V/3A) |
-| ② | AC power | 100-240V input
Connect to standard AC power and Surface Hub 2S will auto switch to the local power standard such as110 volts in the US and Canada or 220 volts in the UK or other countries.
NOTE: When the AC cord is plugged in, the system remains in an off state in which only the system management controller (SMC), real time clock (RTC), and keypad are running. | IEC 60320 C14 |
-| ③ | DC power | 24V DC input port
Use for connecting to mobile battery. | Xbox1 Dual barrel to Anderson connector |
-| ④ | Ethernet | 1000/100/10 BaseT
Use for providing a continuous connection in a corporate environment and related scenarios requiring maximum stability or capacity. | RJ45 |
-| ⑤ | USB-A | USB 3.0 Port
Use as a walk-up port for plugging in peripherals such as thumb-drives. | Type A
7.5 W Port (5V/1.5A) |
-| ⑥ | USB-C | USB 3.0 Port
Use as a walk-up port for connecting external PCs and related devices or plugging in peripherals such as thumb-drives.
NOTE: This is the recommended video input port, supporting both TouchBack and InkBack. | Type C
18 W Port (5V/3A, 9V/2A) |
-| ⑦ | HDMI in | HDMI 2.0, HDCP 2.2 /1.4
Use for multiple scenarios including HDMI-to-HDMI guest input. | Standard HDMI |
-| ⑧ | Mini DisplayPort out | DisplayPort 1.2 output
Use for video-out scenarios such as mirroring the Surface Hub 2S display to a larger projector. | Mini DisplayPort |
-| ⑨ | Source | Use to toggle among connected ingest sources — external PC, HDMI, and DisplayPort modes. | n/a |
-| ⑩ | Volume | Use +/- to adjust audio locally on the device.
NOTE: When navigating to the brightness control, use +/- on the volume slider to control display brightness. | n/a |
-| ⑪ | Power | Power device on/off.
Use also to navigate display menus and select items. | n/a |
-
- **
- **
-*Figure 2. Rear facing view of wireless, audio, & related components*
-NOTE: **many of these components are internal and may not be obviously visible from the outside.
-
-*Figure 3. Wired port connections on Surface Hub-2S*
\ No newline at end of file
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index 57281ea6e2..9df4554e37 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -33,6 +33,7 @@
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index bb0195c0dc..81f0da756e 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: article
-ms.author: tracyp
+ms.author: dansimp
author: msfttracyp
ms.localizationpriority: medium
ms.date: 04/26/2018
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index 91926ff30c..910454c958 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -42,7 +42,7 @@ Previous versions of App-V have required you to manually remove your unpublished
### App-V is now a feature in Windows 10
-With Windows 10, version 1607 and later releases, App-V is now included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack.
+With Windows 10, version 1607 and later releases, App-V is now included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack.
To learn more about earlier versions of App-V, see [MDOP Information Experience](https://docs.microsoft.com/microsoft-desktop-optimization-pack/index).
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 3dbd5d0ae9..a913ce8a38 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -346,7 +346,7 @@ This process will recreate both the local and network locations for AppData and
In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client.
-This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/en-us/download/details.aspx?id=38177).
+This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/download/details.aspx?id=38177).
The App-V application lifecycle tasks are triggered at user sign in (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell).
@@ -799,7 +799,7 @@ App-V packages contain the Manifest file inside of the App-V Package file, which
### Examples of dynamic configuration files
-The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/en-us/download/details.aspx?id=27760).
+The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760).
#### Manifest
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index 5af97d8c38..6e88aa4a89 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -62,5 +62,5 @@ Using Group Policy, you can turn on the **Enable automatic cleanup of unused App
## Related topics
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
-- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186)
+- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/download/details.aspx?id=41186)
- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 3d117f1d01..099bcdf1c4 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -128,9 +128,9 @@ Computers running the App-V client connect to the App-V publishing server to sen
> [!IMPORTANT]
> The following list displays the main factors to consider when setting up the App-V publishing server:
-> * The number of clients connecting simultaneously to a single publishing server.
-> * The number of packages in each refresh.
-> * The available network bandwidth in your environment between the client and the App-V publishing server.
+> * The number of clients connecting simultaneously to a single publishing server.
+> * The number of packages in each refresh.
+> * The available network bandwidth in your environment between the client and the App-V publishing server.
|Scenario|Summary|
|---|---|
@@ -153,9 +153,9 @@ Computers running the App-V client stream the virtual application package from t
> [!IMPORTANT]
> The following list identifies the main factors to consider when setting up the App-V streaming server:
-> * The number of clients streaming application packages simultaneously from a single streaming server.
-> * The size of the package being streamed.
-> * The available network bandwidth in your environment between the client and the streaming server.
+> * The number of clients streaming application packages simultaneously from a single streaming server.
+> * The size of the package being streamed.
+> * The available network bandwidth in your environment between the client and the streaming server.
|Scenario|Summary|
|---|---|
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index 7fa1f3d1b5..ed2d425dc4 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# About the connection group virtual environment
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index b6228dd6cd..794615f010 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to convert a package created in a previous version of App-V
diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index c7df167fba..312adeb09b 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to create a connection croup with user-published and globally published packages
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index 2dca44be85..9f08b25b41 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to create a connection group
diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
index 098316aee4..273b520a59 100644
--- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to create a custom configuration file by using the App-V Management Console
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index a33e8e481a..fb72cbc762 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to create a package accelerator by using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
index e16200acad..7f2ec6c3c5 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to create a package accelerator
diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
index 936ec0bf29..c6983aab02 100644
--- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to create a virtual application package using an App-V Package Accelerator
diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
index 5e2bef4061..54aa412604 100644
--- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md
+++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Create and apply an App-V project template to a sequenced App-V package
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 66e540afb8..197cff66cb 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Creating and managing App-V virtualized applications
diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
index d1a19673a2..aae5ad7d4c 100644
--- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 07/10/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to customize virtual applications extensions for a specific AD group by using the Management Console
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index cce79c8074..9747e3066d 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to delete a connection group
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index efb08e96ef..3b5027c30b 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to delete a package in the Management Console
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index a8d4e50173..fa0a2dca44 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to deploy the App-V databases by using SQL scripts
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index f71def779b..0c013faf96 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to deploy App-V packages using electronic software distribution
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index a2d5fcd633..9ee527503b 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to deploy the App-V server using a script
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 79a0d77597..d30cf24d63 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to Deploy the App-V Server (new installation)
@@ -32,7 +32,7 @@ ms.topic: article
1. Download the App-V server components. All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations:
* The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site.
- * The [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home).
+ * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home).
2. Copy the App-V server installation files to the computer on which you want to install it.
3. Start the App-V server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
4. Review and accept the license terms, and choose whether to enable Microsoft updates.
diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
index ee60adece8..d71a0f0476 100644
--- a/windows/application-management/app-v/appv-deploying-appv.md
+++ b/windows/application-management/app-v/appv-deploying-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Deploying App-V for Windows 10
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index 126da2945c..eb84b6e2b7 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Deploying Microsoft Office 2010 by Using App-V
@@ -86,7 +86,7 @@ The following table provides a full list of supported integration points for Off
### Office 2010 App-V Packages
-* [Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/en-us/download/details.aspx?id=38399)
+* [Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/download/details.aspx?id=38399)
* [Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/kb/2828619)
* [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069)
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 2b22d0a46a..6fa996507f 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Deploying Microsoft Office 2013 by Using App-V
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index f9239225d9..ce7303bbf8 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Deploying Microsoft Office 2016 by using App-V
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index 0bc8d491a1..37adcaae5e 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Deploying App-V packages by using electronic software distribution (ESD)
@@ -30,7 +30,7 @@ To learn how to configure the App-V client to enable only administrators to publ
## Related topics
-- [App-V and Citrix integration](https://www.microsoft.com/en-us/download/details.aspx?id=40885)
+- [App-V and Citrix integration](https://www.microsoft.com/download/details.aspx?id=40885)
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index b1535ba7a9..4edf732dd1 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Deploying the App-V Sequencer and configuring the client
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index ae16a7025e..576764fb91 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Deploying the App-V server
@@ -45,7 +45,7 @@ App-V offers the following five server components, each of which serves a specif
All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations:
* The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site.
-* The [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home).
+* The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home).
In large organizations, you might want to install more than one instance of the server components to get the following benefits.
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index da297a75ef..bb97e27472 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# App-V Deployment Checklist
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 61c8be02a4..13a82055b6 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# About App-V dynamic configuration
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index 007503ac03..656f0264ce 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to enable only administrators to publish packages by using an ESD
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index cbaef2e7a4..39a072c558 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to Enable Reporting on the App-V Client by Using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index 39b561ebe4..d9644226fb 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Enable the App-V in-box client
diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
index 6381b20416..df7f76ca07 100644
--- a/windows/application-management/app-v/appv-evaluating-appv.md
+++ b/windows/application-management/app-v/appv-evaluating-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
index c05dd40169..459032925c 100644
--- a/windows/application-management/app-v/appv-for-windows.md
+++ b/windows/application-management/app-v/appv-for-windows.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Application Virtualization (App-V) for Windows 10 overview
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index a05b56167e..1b1f6592d5 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Getting started with App-V for Windows 10
@@ -18,7 +18,7 @@ ms.topic: article
Microsoft Application Virtualization (App-V) for Windows 10 delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally.
-With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise). If you're new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md).
+With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md).
If you’re already using App-V, performing an in-place upgrade to Windows 10 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md).
@@ -35,13 +35,13 @@ To start using App-V to deliver virtual applications to users, you’ll need to
| Component | What it does | Where to find it |
|------------|--|------|
-| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).
If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:
If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.
If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx).
See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.|
+| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).
If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:
If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.
If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).
See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.|
| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | The App-V client is automatically installed with Windows 10, version 1607.
To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). |
| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). |
For more information about these components, see [High Level Architecture for App-V](appv-high-level-architecture.md).
-If you're new to App-V, it's a good idea to read the documentation thoroughly. Before deploying App-V in a production environment, you can ensure installation goes smoothly by validating your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. To get started, see the [Microsoft Training Overview](https://www.microsoft.com/en-us/learning/default.aspx).
+If you're new to App-V, it's a good idea to read the documentation thoroughly. Before deploying App-V in a production environment, you can ensure installation goes smoothly by validating your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. To get started, see the [Microsoft Training Overview](https://www.microsoft.com/learning/default.aspx).
## Getting started with App-V
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index a74cef34c4..ab25607096 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# High-level architecture for App-V
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index f4075f53b1..82b6545be6 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index 30f57f3cb7..ffffedff20 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index 314545131f..44e1be2801 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to install the Management Server on a Standalone Computer and Connect it to the Database
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index c2f081dd15..87ee2f267a 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to install the publishing server on a remote computer
diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
index a0a7912e96..d476fda616 100644
--- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to install the reporting server on a standalone computer and connect it to the database
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index 6fe3e63862..93180520e7 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Install the App-V Sequencer
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index a4597fb812..bc8cd9361e 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to load the Windows PowerShell cmdlets for App-V and get cmdlet help
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index 65f4a157a0..3b54154537 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Maintaining App-V
diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
index f0f0b0ad03..c7f1214405 100644
--- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/24/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to manage App-V packages running on a stand-alone computer by using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index c3653ce3be..d4e01266f8 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 76ced5b4de..5a94cbc421 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index cd519bf28a..dff030f470 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index a783bac0cb..e2cb4eca48 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index 11bcc0117b..7fe2f3896f 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index de47148927..5305207fe6 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index d5f38d7982..c45c9ab9cf 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Operations for App-V
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 40047a8bd9..65ccf02292 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
@@ -31,7 +31,7 @@ You should read and understand the following information before reading this doc
- [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
-- [App-V Sequencing Guide](https://www.microsoft.com/en-us/download/details.aspx?id=27760)
+- [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760)
**Note**
Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk * review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index dc6488afb9..edaf668a89 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# App-V Planning Checklist
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index 3a1d781f17..c9c570009a 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Planning to Use Folder Redirection with App-V
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index 289e32ec6f..eaf7729f22 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Planning for the App-V server deployment
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index 175946673a..d54d848a2c 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Planning for App-V
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index e6167f8707..af66e545e4 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Planning for high availability with App-V Server
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index adcfe14ddc..4fa3630f7f 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Planning for the App-V Sequencer and Client Deployment
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index ae79aea7c4..dac8271c33 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Planning for deploying App-V with Office
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index 4fec6e664e..7c682239c3 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Planning to Deploy App-V with an electronic software distribution system
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index 8b30ecd4ff..ee9e0b73a9 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Planning to Deploy App-V for Windows 10
diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md
index 33dcf85901..57989881e0 100644
--- a/windows/application-management/app-v/appv-preparing-your-environment.md
+++ b/windows/application-management/app-v/appv-preparing-your-environment.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# Preparing your environment for App-V
diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
index 841c318800..bc458a3f94 100644
--- a/windows/application-management/app-v/appv-prerequisites.md
+++ b/windows/application-management/app-v/appv-prerequisites.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# App-V for Windows 10 prerequisites
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index c8c8da79fa..41d35e29a0 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to Publish a Connection Group
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index 47e033fcbe..cd4469abe5 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 09/27/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to publish a package by using the Management console
diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
index da72c8bd99..2134edc7bb 100644
--- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index 9179e46022..dc744d16c2 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index daf1783e49..bb14436095 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
---
# Release Notes for App-V for Windows 10, version 1607
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index 99a25f7fda..57a4526ecf 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 04/16/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# About App-V reporting
@@ -30,7 +30,7 @@ The following list displays the end–to-end high-level workflow for reporting i
To confirm SQL Server Reporting Services is running, enter
-
-
@@ -57,14 +54,14 @@ The following diagram shows the BitLocker configuration service provider in tree
-
@@ -112,9 +109,26 @@ The following diagram shows the BitLocker configuration service provider in tree
-
Home
@@ -159,7 +172,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
Home
@@ -237,7 +250,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
-
-
-
Home
@@ -334,7 +347,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
Home
@@ -403,7 +416,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
Home
@@ -484,7 +497,7 @@ The following diagram shows the BitLocker configuration service provider in tree
> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
-
-
-
-
-
Home
@@ -581,7 +594,7 @@ The following diagram shows the BitLocker configuration service provider in tree
> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
-
-
-
-
-
Home
@@ -679,7 +692,7 @@ The following diagram shows the BitLocker configuration service provider in tree
-
Home
@@ -741,7 +754,7 @@ The following diagram shows the BitLocker configuration service provider in tree
> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
-
-
-
-
-
+| Value | Description |
+|-------|--------------------|
+| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
+| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. |
**EtwLog/Collectors/*CollectorName*/TraceControl**
Specifies the logging and report action state.
@@ -222,8 +198,6 @@ The following table lists the possible values:
| START | Start log tracing. |
| STOP | Stop log tracing |
-
-
The supported operation is Execute.
After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
@@ -295,8 +269,6 @@ Dynamic nodes to represent active provider configuration per provider GUID.
> **Note** Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
-
-
Supported operations are Add, Delete, and Get.
Add a provider
@@ -347,44 +319,15 @@ The data type is an integer.
Supported operations are Get and Replace.
-The following table lists the possible values.
+The following table lists the possible values:
-
-
-
-
-Value
-Description
-
-
-
-
-
-
-
-
-
+| Value | Description |
+|-------|--------------------|
+| 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
+| 2 – TRACE_LEVEL_ERROR | Severe error events |
+| 3 – TRACE_LEVEL_WARNING | Warning events such as allocation failures |
+| 4 – TRACE_LEVEL_INFORMATION | Non-error events, such as entry or exit events |
+| 5 – TRACE_LEVEL_VERBOSE | Detailed information |
Set provider **TraceLevel**
@@ -412,7 +355,7 @@ Set provider **TraceLevel**
**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**
Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
-the data type is a string.
+The data type is a string.
Supported operations are Get and Replace.
@@ -470,32 +413,11 @@ The data type is a boolean.
Supported operations are Get and Replace. This change will be effective during active trace session.
-The following table lists the possible values. Default value is TRUE.
-
-
-
-
-
-Value
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+The following table lists the possible values:
+| Value | Description |
+|-------|--------------------|
+| TRUE | Provider is enabled in the trace session. This is the default. |
+| FALSE | Provider is disabled in the trace session. |
Set provider **State**
@@ -630,32 +552,12 @@ The data type is a boolean.
Supported operations are Get and Replace.
-The following table lists the possible values.
+The following table lists the possible values:
-
-
-
-
-Value
-Description
-
-
-
-
-
-
-
-
-
+| Value | Description |
+|-------|--------------------|
+| TRUE | Channel is enabled. |
+| FALSE | Channel is disabled. |
Get channel **State**
@@ -897,26 +799,585 @@ Node to transfer the selected log file block to the DM server.
**FileDownload/DMChannel/*FileContext*/DataBlocks/***BlockNumber*
The data type is Base64.
-The only supported operation is Get.
+The supported operation is Get.
+
+**Policy**
+Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log.
+
+The supported operation is Get.
+
+**Policy/Channels**
+Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains Event Log channel settings.
+
+The supported operation is Get.
+
+**Policy/Channels/_ChannelName_**
+Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
+
+Supported operations are Add, Delete, and Get.
+
+Add **Channel**
+``` xml
+
-
-
-
-Value
-Description
-
-
-
-
-
-
+
+DiagnosticLog CSP
+
+DiagnosticLog DDF
+Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.
+
@@ -1896,6 +1903,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|New or updated topic | Description|
|--- | ---|
+|[DiagnosticLog CSP](diagnosticlog-csp.md)EnrollmentStatusTracking CSP
[DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.|
|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:
Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
### July 2019
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index b5cb013a88..008c0c74a3 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -199,12 +199,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 871c434dca..053896ccc4 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -195,33 +195,13 @@ The following list shows the supported values:
-
-
-
-## Accounts policies supported by HoloLens 2
-
-- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
-
-
-
-## Accounts policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
-
-
-
-## Accounts policies supported by HoloLens (1st gen) Development Edition
-
-- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
-
-
-
-
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 09639791f8..850e4ff945 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -92,12 +92,13 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 7bbea44531..86d413d085 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -199,12 +199,13 @@ This setting supports a range of values between 0 and 1.
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index bb80f306e7..1657cb97f4 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -478,11 +478,11 @@ An XML blob that specifies the application restrictions company want to put to t
>
> Here's additional guidance for the upgrade process:
>
-> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
-> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
-> - In the SyncML, you must use lowercase product ID.
-> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
-> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
+> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
+> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
+> - In the SyncML, you must use lowercase product ID.
+> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
+> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
An application that is running may not be immediately terminated.
@@ -537,7 +537,7 @@ Added in Windows 10, version 1607. Boolean value that disables the launch of al
ADMX Info:
-- GP English name: *Disable all apps from Microsoft Store *
+- GP English name: *Disable all apps from Microsoft Store*
- GP name: *DisableStoreApps*
- GP path: *Windows Components/Store*
- GP ADMX file name: *WindowsStore.admx*
@@ -1040,34 +1040,6 @@ XSD:
-
-
-
-
-## ApplicationManagement policies supported by HoloLens 2
-
-- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
-
-
-
-
-## ApplicationManagement policies supported by HoloLens (ist gen) Commercial Suite
-
-- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
-
-
-
-## ApplicationManagement policies supported by HoloLens (1st gen) Development Edition
-
-- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
-
-
Footnotes:
@@ -1078,3 +1050,4 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index 6f998bebf9..ce22da2a1b 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -89,12 +89,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 7ecd3a228b..6719816427 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -1812,7 +1812,7 @@ ADMX Info:
-Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
+Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc.). Only processes whose full path matches one of these items can use virtual components.
> [!TIP]
@@ -1833,12 +1833,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index f5630e76f5..bcb75801ca 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -226,12 +226,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 6ce830a730..fa0ff7ed0c 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -241,7 +241,7 @@ Preview release in Windows 10, version 1709. Supported in the next release. Spe
Value type is integer.
-Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.
+Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password every time they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.
@@ -364,7 +364,7 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
Value type is integer. Supported values:
- 0 - (default) The feature defaults to the existing SKU and device capabilities.
-- 1 - Enabled. Auto connect new non-admin AZure AD accounts to pre-configured candidate local accounts
+- 1 - Enabled. Auto connect new non-admin Azure AD accounts to pre-configured candidate local accounts
- 2 - Disabled. Do not auto connect new non-admin Azure AD accounts to pre-configured local accounts
@@ -499,30 +499,6 @@ Value type is string.
-
-
-
-
-## Authentication policies supported by HoloLens 2
-
-- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
-- [Authentication/PreferredAadTenantDomainName](#authentication-preferredaadtenantdomainname)
-
-
-
-## Authentication policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
-- [Authentication/PreferredAadTenantDomainName](#authentication-preferredaadtenantdomainname)
-
-
-
-## Authentication policies supported by HoloLens (1st gen) Development Edition
-
-- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
-
-
-
Footnotes:
@@ -533,3 +509,4 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 0845e952f8..0f89d7ad50 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -242,12 +242,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 85d8f6acdc..f160212054 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -86,7 +86,7 @@ The following list shows the supported values:
> [!NOTE]
> To manage encryption of PCs and devices, use [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index 32fe01163f..c7305f22ee 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -91,7 +91,7 @@ If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT
This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock.
-Value type is integer. Default value is 17 (5 pm).
+Value type is integer. Default value is 17 (5 PM).
Supported value range: 0 - 23
@@ -101,7 +101,7 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
-Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -176,7 +176,7 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
-Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -251,7 +251,7 @@ Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrott
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
-Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
@@ -494,14 +494,14 @@ Supported values range: 0 - 999
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 2475975ca6..d834300ed0 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -341,34 +341,18 @@ The default value is an empty string. For more information, see [ServicesAllowed
+
+Footnotes:
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-## Bluetooth policies supported by HoloLens 2
-
-- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-
-
-
-## Bluetooth policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
-- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-
-
-
-## Bluetooth policies supported by HoloLens (1st gen) Development Edition
-
-- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
-- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-
-
-
-
+
## ServicesAllowedList usage guide
@@ -481,14 +465,4 @@ Disabling file transfer shall have the following effects
- Fsquirt shall not allow sending of files
- Fsquirt shall not allow receiving of files
- Fsquirt shall display error message informing user of policy preventing file transfer
-- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API
-
-
-Footnotes:
-
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
\ No newline at end of file
+- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index a397e2cdfa..8f07ea575b 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -319,7 +319,7 @@ To verify AllowAutofill is set to 0 (not allowed):
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Save form entries** is greyed out.
+4. Verify the setting **Save form entries** is grayed out.
@@ -629,9 +629,9 @@ ADMX Info:
Supported values:
-- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit.
-- 0 - Never send tracking information.
-- 1 - Send tracking information.
+- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit.
+- 0 - Never send tracking information.
+- 1 - Send tracking information.
Most restricted value: 1
@@ -641,7 +641,7 @@ To verify AllowDoNotTrack is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Send Do Not Track requests** is greyed out.
+4. Verify the setting **Send Do Not Track requests** is grayed out.
@@ -3961,44 +3961,6 @@ Supported values:
Most restricted value: 0
-
-
-
-
-## Browser policies supported by HoloLens 2
-
-- [Browser/AllowAutofill](#browser-allowautofill)
-- [Browser/AllowCookies](#browser-allowcookies)
-- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
-- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
-- [Browser/AllowPopups](#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
-
-
-
-## Browser policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Browser/AllowAutofill](#browser-allowautofill)
-- [Browser/AllowCookies](#browser-allowcookies)
-- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
-- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
-- [Browser/AllowPopups](#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
-
-
-
-## Browser policies supported by HoloLens (1st gen) Development Edition
-
-- [Browser/AllowCookies](#browser-allowcookies)
-- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
-- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
-- [Browser/AllowPopups](#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
-
-
Footnotes:
@@ -4009,3 +3971,5 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
+
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 0852d91632..64551b503d 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -88,30 +88,13 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-
-
-## Camera policies that can be set using Exchange Active Sync (EAS)
-
-- [Camera/AllowCamera](#camera-allowcamera)
-
-
-
-## Camera policies supported by IoT Core
-
-- [Camera/AllowCamera](#camera-allowcamera)
-
-
-
-## Camera policies supported by Microsoft Surface Hub
-
-- [Camera/AllowCamera](#camera-allowcamera)
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index ff738aa2e1..9a09add801 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -329,30 +329,13 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-
-
-## Cellular policies that can be set using Exchange Active Sync (EAS)
-
-- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
-
-
-
-## Cellular policies supported by IoT Core
-
-- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
-
-
-
-## Cellular policies supported by Microsoft Surface Hub
-
-- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index d86d214339..aadc67164b 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -120,7 +120,7 @@ Most restricted value is 0.
The following list shows the supported values:
-- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
+- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on.
- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
@@ -418,7 +418,7 @@ This setting supports a range of values between 0 and 1.
Validation:
-If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be greyed out and clicking it will not launch the window for a user to enter their phone number.
+If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number.
Device that has previously opt-in to MMX will also stop showing on the device list.
@@ -942,7 +942,7 @@ Determines whether a user can install and configure the Network Bridge.
Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
-The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.
+The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segments together. This connection appears in the Network Connections folder.
If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.
@@ -963,30 +963,6 @@ ADMX Info:
-
-
-
-
-## Connectivity policies supported by HoloLens 2
-
-- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
-
-
-
-## Connectivity policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
-
-
-
-## Connectivity policies supported by HoloLens (1st gen) Development Edition
-
-- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
-
-
Footnotes:
@@ -996,4 +972,5 @@ Footnotes:
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
\ No newline at end of file
+- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index c9d03ef5de..92db88b0ff 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -106,12 +106,13 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 1e3b1dd91e..c90e160c5d 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -216,19 +216,13 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-
-
-## CredentialProviders policies supported by IoT Core
-
-- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
-- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index 80a987c29b..6d6549c026 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -91,12 +91,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 723426a323..480fd54f21 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -160,12 +160,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 4aaf66a50c..088711a7c3 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -148,21 +148,15 @@ Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is
-
-
-## Cryptography policies supported by Microsoft Surface Hub
-
-- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
-- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
-
-
Footnotes:
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index cfa533aef2..c8866cf5c0 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -133,18 +133,13 @@ Setting used by Windows 8.1 Selective Wipe.
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-
-
-## DataProtection policies supported by IoT Core
-
-- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 1268e6243c..cab2e300d4 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -111,12 +111,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index f796a9ae53..3d598448d3 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 01/26/2019
+ms.date: 08/26/2019
ms.reviewer:
manager: dansimp
---
@@ -205,8 +205,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off scanning on archived files.
+- 1 (default) – Allowed. Scans the archive files.
@@ -267,8 +267,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off behavior monitoring.
+- 1 (default) – Allowed. Turns on real-time behavior monitoring.
@@ -330,8 +330,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off the Microsoft Active Protection Service.
+- 1 (default) – Allowed. Turns on the Microsoft Active Protection Service.
@@ -392,8 +392,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Not allowed.
-- 1 – Allowed.
+- 0 (default) – Not allowed. Turns off email scanning.
+- 1 – Allowed. Turns on email scanning.
@@ -454,8 +454,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Not allowed.
-- 1 – Allowed.
+- 0 (default) – Not allowed. Disables scanning on mapped network drives.
+- 1 – Allowed. Scans mapped network drives.
@@ -502,7 +502,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop.
-Allows or disallows a full scan of removable drives.
+Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned.
@@ -516,8 +516,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off scanning on removable drives.
+- 1 (default) – Allowed. Scans removable drives.
@@ -756,8 +756,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off the real-time monitoring service.
+- 1 (default) – Allowed. Turns on and runs the real-time monitoring service.
@@ -818,8 +818,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off scanning of network files.
+- 1 (default) – Allowed. Scans network files.
@@ -934,8 +934,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Prevents users from accessing UI.
+- 1 (default) – Allowed. Lets users access UI.
@@ -1821,7 +1821,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
@@ -2773,46 +2773,13 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
-
-
-## Defender policies supported by Microsoft Surface Hub
-
-- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
-- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
-- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
-- [Defender/AllowEmailScanning](#defender-allowemailscanning)
-- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
-- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
-- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
-- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
-- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
-- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
-- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
-- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
-- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
-- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
-- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
-- [Defender/ExcludedExtensions](#defender-excludedextensions)
-- [Defender/ExcludedPaths](#defender-excludedpaths)
-- [Defender/ExcludedProcesses](#defender-excludedprocesses)
-- [Defender/PUAProtection](#defender-puaprotection)
-- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
-- [Defender/ScanParameter](#defender-scanparameter)
-- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
-- [Defender/ScheduleScanDay](#defender-schedulescanday)
-- [Defender/ScheduleScanTime](#defender-schedulescantime)
-- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
-- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
-- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
-
-
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 66ac43c7f6..951388e477 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -1701,101 +1701,6 @@ This policy allows an IT Admin to define the following:
-
-
-
-
-
-
-
-
-
-
-
-## DeliveryOptimization policies supported by IoT Core
-
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DOCacheHost](#deliveryoptimization-docachehost)
-- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayCacheServerFallbackBackground](#deliveryoptimization-dodelaycacheserverfallbackbackground)
-- [DeliveryOptimization/DODelayCacheServerFallbackForeground](#deliveryoptimization-dodelaycacheserverfallbackforeground)
-- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOGroupIdSource](#deliveryoptimization-dogroupidsource)
-- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
-- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](#deliveryoptimization-dominbatterypercentageallowedtoupload)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
-- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth)
-- [DeliveryOptimization/DORestrictPeerSelectionBy](#deliveryoptimization-dorestrictpeerselectionby)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-
-
-
-## DeliveryOptimization policies supported by IoT Enterprise
-
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DOCacheHost](#deliveryoptimization-docachehost)
-- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayCacheServerFallbackBackground](#deliveryoptimization-dodelaycacheserverfallbackbackground)
-- [DeliveryOptimization/DODelayCacheServerFallbackForeground](#deliveryoptimization-dodelaycacheserverfallbackforeground)
-- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOGroupIdSource](#deliveryoptimization-dogroupidsource)
-- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
-- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](#deliveryoptimization-dominbatterypercentageallowedtoupload)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
-- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth)
-- [DeliveryOptimization/DORestrictPeerSelectionBy](#deliveryoptimization-dorestrictpeerselectionby)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-
-
-
-
-## DeliveryOptimization policies supported by Microsoft Surface Hub
-
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
-- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
-
-
Footnotes:
@@ -1806,3 +1711,5 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
+
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index ebe8a9efb2..4d1a10abe5 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -90,18 +90,13 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-
-
-## Desktop policies supported by Microsoft Surface Hub
-
-- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index 44a9b306d9..c06a4e40e9 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -285,14 +285,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index c945a7c66c..786c883fe0 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -199,26 +199,6 @@ In most cases, an IT Pro does not need to define this policy. Instead, it is exp
-
-
-
-
-## DeviceHealthMonitoring policies supported by IoT Core
-
-- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](#devicehealthmonitoring-configdevicehealthmonitoringscope)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
-
-
-
-## DeviceHealthMonitoring policies supported by IoT Enterprise
-
-- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](#devicehealthmonitoring-configdevicehealthmonitoringscope)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
-
-
-
Footnotes:
- 1 - Added in Windows 10, version 1607.
@@ -226,4 +206,6 @@ Footnotes:
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
\ No newline at end of file
+- 6 - Added in Windows 10, version 1903.
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 1ff5f4fa3a..75e6a2bd5a 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -12,7 +12,6 @@ author: manikadhiman
# Policy CSP - DeviceInstallation
-
@@ -111,13 +110,6 @@ ADMX Info:
-
-
-
-
-
-
-
To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter.
@@ -148,6 +140,11 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
+
+
+
+
+
@@ -222,13 +219,6 @@ ADMX Info:
-
-
-
-
-
-
-
To enable this policy, use the following SyncML. This example allows Windows to install:
- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
@@ -266,6 +256,11 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
+
+
+
+
+
@@ -311,8 +306,6 @@ If you enable this policy setting, Windows does not retrieve device metadata for
If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
-
-
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -340,8 +333,6 @@ ADMX Info:
-
-
@@ -386,7 +377,6 @@ If you enable this policy setting, Windows is prevented from installing or updat
If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting.
-
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@@ -407,13 +397,6 @@ ADMX Info:
-
-
-
-
-
-
-
To enable this policy, use the following SyncML. This example prevents Windows from installing devices that are not specifically described by any other policy setting.
@@ -448,7 +431,11 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
You can also block installation by using a custom profile in Intune.
+
+
+
+
@@ -512,9 +499,10 @@ ADMX Info:
- GP ADMX file name: *deviceinstallation.admx*
-
-
+
+
+
To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use  as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
@@ -552,6 +540,11 @@ You can also block installation and usage of prohibited peripherals by using a c
For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed.
+
+
+
+
+
@@ -614,9 +607,10 @@ ADMX Info:
- GP ADMX file name: *deviceinstallation.admx*
-
-
+
+
+
To enable this policy, use the following SyncML. This example prevents Windows from installing:
- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
@@ -653,15 +647,20 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
+
+
-Footnote:
+
+
+
+
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
-
-
+- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 524745b05b..dd583b02dc 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -387,12 +387,12 @@ Specifies whether device lock is enabled.
> [!Important]
> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
> - **DevicePasswordEnabled** is the parent policy of the following:
-> - AllowSimpleDevicePassword
-> - MinDevicePasswordLength
-> - AlphanumericDevicePasswordRequired
-> - MinDevicePasswordComplexCharacters
-> - DevicePasswordExpiration
-> - DevicePasswordHistory
+> - AllowSimpleDevicePassword
+> - MinDevicePasswordLength
+> - AlphanumericDevicePasswordRequired
+> - MinDevicePasswordComplexCharacters
+> - DevicePasswordExpiration
+> - DevicePasswordHistory
> - MaxDevicePasswordFailedAttempts
> - MaxInactivityTimeDeviceLock
@@ -1207,54 +1207,6 @@ Most restricted value is 0.
-
-
-
-
-## DeviceLock policies supported by HoloLens 2
-
-- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
-- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
-- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
-- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
-- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)
-- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
-- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
-- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
-- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
-- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
-
-
-
-
-## DeviceLock policies supported by HoloLens (1st gen) Commercial Suite
-
-- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
-- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
-- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
-- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
-- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
-- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
-- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
-- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
-- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
-
-
-
-## DeviceLock policies supported by HoloLens (1st gen) Development Edition
-
-- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
-- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
-- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
-- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
-- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
-- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
-- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
-- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
-- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
-
-
-
Footnotes:
@@ -1265,3 +1217,5 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index e6bdb26828..1bda716377 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -349,12 +349,14 @@ To validate on Desktop, do the following:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index 84edbd082b..da361d9226 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -105,14 +105,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 75f755f4fb..56e547eb48 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -182,12 +182,14 @@ The policy value is expected to be a `````` seperated list of printer na
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 606cfc2ceb..255d2c5715 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -325,12 +325,14 @@ The default value is an empty string. Otherwise, the value should contain a URL.
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index d498c385d6..c1dd1a8584 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -364,12 +364,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index a12bf88937..c12aeb4299 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -287,12 +287,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 7e61e7696e..f3f3c0854d 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1639,28 +1639,6 @@ Supported values:
-
-
-
-
-## Experience policies supported by HoloLens 2
-
-- [Experience/AllowCortana](#experience-allowcortana)
-- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
-
-
-
-## Experience policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Experience/AllowCortana](#experience-allowcortana)
-
-
-
-## Experience policies supported by HoloLens (1st gen) Development Edition
-
-- [Experience/AllowCortana](#experience-allowcortana)
-
-
Footnotes:
@@ -1671,3 +1649,4 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 8e0abebf9d..bd99331c3a 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -65,7 +65,7 @@ manager: dansimp
-Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
The system settings require a reboot; the application settings do not require a reboot.
@@ -109,12 +109,14 @@ Here is an example:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index f2666b4442..20df4e5b6a 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -146,12 +146,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 750f00f237..7160e21904 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -78,12 +78,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 12cb543539..752f2010f7 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -92,12 +92,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index d13267b269..e77d5a4eb3 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -13428,7 +13428,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
ADMX Info:
-- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
+- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer*
- GP name: *VerMgmtDisableRunThisTime*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
@@ -16504,7 +16504,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy.
ADMX Info:
-- GP English name: *Security Zones: Use only machine settings *
+- GP English name: *Security Zones: Use only machine settings*
- GP name: *Security_HKLM_only*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -17427,38 +17427,6 @@ ADMX Info:
-
-
-
-
-
-
-
-
-
-
-
-
-## InternetExplorer policies supported by IoT Core
-
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation)
-
-
-
-## InternetExplorer policies supported by IoT Enterprise
-
-- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](#internetexplorer-allowenhancedsuggestionsinaddressbar)
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableFeedsBackgroundSync](#internetexplorer-disablefeedsbackgroundsync)
-- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation)
-- [InternetExplorer/DisableWebAddressAutoComplete](#internetexplorer-disablewebaddressautocomplete)
-- [InternetExplorer/NewTabDefaultPage](#internetexplorer-newtabdefaultpage)
-
-
-
Footnotes:
@@ -17469,3 +17437,7 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 2df8f06e1a..58ad5ba29e 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -416,14 +416,14 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 99fb4e9a1b..351f5e5e34 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -370,12 +370,14 @@ The value is an int 1-1440 that specifies the amount of minutes the session is i
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index d185745718..28ed33797b 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -88,12 +88,14 @@ This setting supports a range of values between 0 and 1.
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 4c7c69815e..c933be9fb3 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -147,12 +147,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index ec391230a3..74c59adcec 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -3460,14 +3460,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 0f90b19790..b775445fbd 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -88,12 +88,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 1028e204b8..7cb5bf15bc 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -145,12 +145,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index b2efd6a840..745d653627 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -198,12 +198,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index 4e53332f72..acea48e305 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -372,12 +372,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index 722b58c97c..ec20518e9d 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -256,12 +256,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 9404b184fc..aac7ebd8b6 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -477,12 +477,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 1624dfe21f..638cc7018d 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -237,12 +237,14 @@ Validation:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 643ff5cea3..5b5da040da 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -1561,8 +1561,6 @@ Default value for unattended sleep timeout (plugged in):
-
-
Footnotes:
@@ -1573,3 +1571,6 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 16470df06b..7220444c6a 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -261,12 +261,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 65dea5a83d..d2d5b890fa 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -5241,49 +5241,6 @@ ADMX Info:
-
-
-
-
-## Privacy policies supported by HoloLens 2
-
-- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
-- [LetAppsAccessAccountInfo](#privacy-letappsaccessaccountinfo)
-- [LetAppsAccessAccountInfo_ForceAllowTheseApps](#privacy-letappsaccessaccountinfo-forceallowtheseapps)
-- [LetAppsAccessAccountInfo_ForceDenyTheseApps](#privacy-letappsaccessaccountinfo-forcedenytheseapps)
-- [LetAppsAccessAccountInfo_UserInControlOfTheseApps](#privacy-letappsaccessaccountinfo-userincontroloftheseapps)
-- [LetAppsAccessBackgroundSpatialPerception](#privacy-letappsaccessbackgroundspatialperception)
-- [LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps)
-- [LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps)
-- [LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps)
-- [Privacy/LetAppsAccessCamera](#privacy-letappsaccesscamera)
-- [Privacy/LetAppsAccessLocation](#privacy-letappsaccesslocation)
-- [Privacy/LetAppsAccessMicrophone](#privacy-letappsaccessmicrophone)
-
-
-
-## Privacy policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
-
-
-
-## Privacy policies supported by HoloLens (1st gen) Development Edition
-
-- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
-
-
-## Privacy policies supported by Windows 10 IoT Core
-- [Privacy/LetAppsActivateWithVoice](#privacy-letappsactivatewithvoice)
-- [Privacy/LetAppsActivateWithVoiceAboveLock](#privacy-letappsactivatewithvoiceabovelock)
-
-
-
-## Privacy policies supported by Windows 10 IoT Enterprise
-- [Privacy/LetAppsActivateWithVoice](#privacy-letappsactivatewithvoice)
-- [Privacy/LetAppsActivateWithVoiceAboveLock](#privacy-letappsactivatewithvoiceabovelock)
-
-
Footnotes:
@@ -5294,3 +5251,5 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
+
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 338d517c12..c6e88e8bc0 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -336,12 +336,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index c9c9ba51bf..3f901d522c 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -447,12 +447,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index ba8a7d6310..8d76918842 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -365,7 +365,7 @@ If you disable or do not configure this policy setting, the WinRM service will n
The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
-You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
+You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.
@@ -1029,12 +1029,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index ade921ae21..48ec861646 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -171,12 +171,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 21cfd117d2..6bf43c0535 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -484,12 +484,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 2ee10fa612..0ca2dc4914 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -52,12 +52,6 @@ manager: dansimp
-Footnote:
-
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
@@ -132,15 +126,23 @@ Here is an example:
```
+
+> [!Note]
+> * You should include the local administrator while modifying the administrators group to prevent accidental loss of access
+> * Include the entire UPN after AzureAD
+Footnotes:
-Take note:
-* You should include the local administrator while modifying the administrators group to prevent accidental loss of access
-* Include the entire UPN after AzureAD
-
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index f551f810e3..d1b35bda00 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -918,27 +918,6 @@ The following list shows the supported values:
-
-
-
-
-## Search policies supported by HoloLens 2
-
-- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
-
-
-
-## Search policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
-
-
-
-## Search policies supported by HoloLens (1st gen) Development Edition
-
-- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
-
-
Footnotes:
@@ -949,3 +928,5 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 22bddbe478..5018d1a105 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -741,27 +741,6 @@ The following list shows the supported values:
-
-
-
-
-## Security policies supported by HoloLens 2
-
-- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-
-
-
-## Security policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-
-
-
-## Security policies supported by HoloLens (1st gen) Development Edition
-
-- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-
-
Footnotes:
@@ -772,3 +751,4 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 9ce3ab68b9..15a529a427 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -1,7 +1,7 @@
---
title: Policy CSP - ServiceControlManager
description: Policy CSP - ServiceControlManager
-ms.author: Heidi.Lohr
+ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 81727ffef1..bfd4bd4760 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -806,11 +806,11 @@ If the policy is not specified, the behavior will be that no pages are affected.
The format of the PageVisibilityList value is as follows:
-- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
-- There are two variants: one that shows only the given pages and one which hides the given pages.
-- The first variant starts with the string "showonly:" and the second with the string "hide:".
-- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
-- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
+- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
+- There are two variants: one that shows only the given pages and one which hides the given pages.
+- The first variant starts with the string "showonly:" and the second with the string "hide:".
+- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
+- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
The default value for this setting is an empty string, which is interpreted as show everything.
@@ -841,30 +841,6 @@ To validate on Desktop, do the following:
-
-
-
-
-## Settings policies supported by HoloLens 2
-
-- [Settings/AllowDateTime](#settings-allowdatetime)
-- [Settings/AllowVPN](#settings-allowvpn)
-
-
-
-## Settings policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Settings/AllowDateTime](#settings-allowdatetime)
-- [Settings/AllowVPN](#settings-allowvpn)
-
-
-
-## Settings policies supported by HoloLens (1st gen) Development Edition
-
-- [Settings/AllowDateTime](#settings-allowdatetime)
-- [Settings/AllowVPN](#settings-allowvpn)
-
-
Footnotes:
@@ -875,3 +851,4 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 333716f687..2ecdcf1777 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -212,12 +212,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index 0f385479cb..1897316311 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -84,27 +84,6 @@ The following list shows the supported values:
-
-
-
-
-## Speech policies supported by HoloLens 2
-
-- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
-
-
-
-## Speech policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
-
-
-
-## Speech policies supported by HoloLens (1st gen) Development Edition
-
-- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
-
-
Footnotes:
@@ -115,3 +94,4 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 05e37d1dc9..bd12c8d9b7 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1856,14 +1856,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 02d36e60d9..09a9bad5ae 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -654,18 +654,16 @@ ADMX Info:
-
-
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index af2069854f..eade9cb700 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1068,7 +1068,7 @@ If you disable or don't configure this policy setting, the Delete diagnostic dat
ADMX Info:
-- GP English name: *Disable deleting diagnostic data *
+- GP English name: *Disable deleting diagnostic data*
- GP name: *DisableDeviceDelete*
- GP element: *DisableDeviceDelete*
- GP path: *Data Collection and Preview Builds*
@@ -1131,7 +1131,7 @@ If you disable or don't configure this policy setting, the Diagnostic Data Viewe
ADMX Info:
-- GP English name: *Disable diagnostic data viewer. *
+- GP English name: *Disable diagnostic data viewer.*
- GP name: *DisableDiagnosticDataViewer*
- GP element: *DisableDiagnosticDataViewer*
- GP path: *Data Collection and Preview Builds*
@@ -1578,32 +1578,6 @@ The following list shows the supported values:
-
-
-
-
-## System policies supported by HoloLens 2
-
-- [System/AllowCommercialDataPipeline](#system-allowcommercialdatapipeline)
-- [System/AllowLocation](#system-allowlocation)
-- [System/AllowStorageCard](#system-allowstoragecard)
-- [System/AllowTelemetry](#system-allowtelemetry)
-
-
-
-## System policies supported by HoloLens (1st gen) Commercial Suite
-
-- [System/AllowLocation](#system-allowlocation)
-- [System/AllowTelemetry](#system-allowtelemetry)
-
-
-
-## System policies supported by HoloLens (1st gen) Development Edition
-
-- [System/AllowLocation](#system-allowlocation)
-- [System/AllowTelemetry](#system-allowtelemetry)
-
-
Footnotes:
@@ -1614,3 +1588,5 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 1b98e5a487..94edf1165e 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -336,12 +336,14 @@ GP Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 5e4b03fa34..eab903e15a 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -70,8 +70,8 @@ manager: dansimp
This setting determines whether non-administrators can use Task Manager to end tasks.
Value type is integer. Supported values:
- - 0 - Disabled. EndTask functionality is blocked in TaskManager.
- - 1 - Enabled (default). Users can perform EndTask in TaskManager.
+- 0 - Disabled. EndTask functionality is blocked in TaskManager.
+- 1 - Enabled (default). Users can perform EndTask in TaskManager.
@@ -89,14 +89,14 @@ When the policy is set to 0 - users CANNOT execute 'End task' on processes in Ta
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index ca2b448d50..c289a0638d 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -70,12 +70,14 @@ Added in Windows 10, version 1803. This setting determines whether the specific
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index ce3e59ecc4..dd9948d56b 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -1330,30 +1330,13 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
-
-
-
-
-## TextInput policies supported by Microsoft Surface Hub
-
-- [TextInput/AllowIMELogging](#textinput-allowimelogging)
-- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
-- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
-- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
-- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
-- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
-- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
-- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
-- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
-- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
-- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
-
+- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 5feefe04ae..025ea3bdfd 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -130,9 +130,6 @@ Specifies the time zone to be applied to the device. This is the standard Window
-
-
-
Footnotes:
@@ -142,4 +139,6 @@ Footnotes:
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
\ No newline at end of file
+- 6 - Added in Windows 10, version 1903.
+
+
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index ec68e060bc..082308817e 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -1,7 +1,7 @@
---
title: Policy CSP - Troubleshooting
description: Policy CSP - Troubleshooting
-ms.author: maricia
+ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 92367a4c2e..86359678c2 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 05/21/2019
+ms.date: 08/16/2019
ms.reviewer:
manager: dansimp
---
@@ -1053,7 +1053,7 @@ Supported values:
-Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value.
@@ -1071,8 +1071,8 @@ The following list shows the supported values:
- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709)
- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709)
- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709)
-- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
-- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel.
+- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
+- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16)
@@ -2418,13 +2418,11 @@ The following list shows the supported values:
To validate this policy:
-1. Enable the policy ensure the device is on a cellular network.
+1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
-
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
+ ```TShell
+ exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
+ ```
@@ -2472,11 +2470,6 @@ Added in Windows 10, version 1703. Specifies whether to ignore the MO download
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
-
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
-
The following list shows the supported values:
@@ -2489,7 +2482,10 @@ The following list shows the supported values:
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
+ ```TShell
+ exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
+ ```
@@ -3874,20 +3870,20 @@ The following list shows the supported values:
Example
-``` syntax
-
Footnotes:
@@ -4028,3 +3961,4 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index bf7b2a8067..0676a9df9c 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1600,12 +1600,14 @@ GP Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 9bc832c1ff..9e5e7bac19 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -381,49 +381,6 @@ Supported operations are Add, Delete, Get, and Replace.
-
-
-
-
-## Wifi policies that can be set using Exchange Active Sync (EAS)
-
-- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
-- [Wifi/AllowWiFi](#wifi-allowwifi)
-
-
-
-## Wifi policies supported by HoloLens 2
-
-- [Wifi/AllowManualWiFiConfiguration](#wifi-allowmanualwificonfiguration)
-
-
-
-## Wifi policies supported by HoloLens (1st gen) Commercial Suite
-
-- [Wifi/AllowManualWiFiConfiguration](#wifi-allowmanualwificonfiguration)
-
-
-
-## Wifi policies supported by HoloLens (1st gen) Development Edition
-
-- [Wifi/AllowManualWiFiConfiguration](#wifi-allowmanualwificonfiguration)
-
-
-
-## Wifi policies supported by IoT Core
-
-- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
-- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
-- [Wifi/AllowWiFi](#wifi-allowwifi)
-- [Wifi/WLANScanMode](#wifi-wlanscanmode)
-
-
-
-## Wifi policies supported by Microsoft Surface Hub
-
-- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
-
-
Footnotes:
@@ -434,3 +391,4 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index 6824a34e5c..0888c1a02a 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -97,12 +97,13 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index cc8580325d..f851afd08e 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -1426,14 +1426,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
-- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index ca2a0c7b72..d20bb37601 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -149,12 +149,14 @@ Value type is int. The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index dd40314d62..a8e9418f2e 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -544,9 +544,6 @@ To validate on Desktop, do the following:
-
-
-
Footnotes:
@@ -557,3 +554,6 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index 9e2d0223b5..69eb80be17 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -94,12 +94,14 @@ ADMX Info:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 1ba5d5ec2d..e8bdaab780 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -473,12 +473,14 @@ The following list shows the supported values:
-Footnote:
+Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in Windows 10, version 1809.
+- 6 - Added in Windows 10, version 1903.
diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md
index ea985de378..3ea4ca8ee0 100644
--- a/windows/client-management/mdm/remotelock-csp.md
+++ b/windows/client-management/mdm/remotelock-csp.md
@@ -117,7 +117,7 @@ A Get operation on this node must follow an Exec operation on the /RemoteLock/Lo
Initiate a remote lock of the device.
-``` syntax
+```xml
64-bit system: size of the RAM plus 128 MB|
+
+To specify that you want to use a kernel memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugInfoType = 2
+ ```
+
+- Set the **CrashDumpEnabled** DWORD value to **2**.
+
+To specify that you want to use a file as your memory dump file, run the following command or modify the registry value:
+
+- ```cmd
+ wmic recoveros set DebugFilePath =
For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
+Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.
For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs.
Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.
If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index 6517e9e14f..ca42852107 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -7,10 +7,10 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
-author: jdeckerms
-ms.author: jdecker
+manager: dansimp
+author: dansimp
+ms.author: dansimp
ms.topic: article
-ms.date: 05/11/2018
---
# Configure Windows 10
diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md
index b08ebebd2c..51eeccc08b 100644
--- a/windows/configuration/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk-mdm-bridge.md
@@ -35,7 +35,8 @@ Here’s an example to set AssignedAccess configuration:
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
-$obj.Configuration = @"
+Add-Type -AssemblyName System.Web
+$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
Cmdlet Use this cmdlet to Syntax Add-ProvisioningPackage Apply a provisioning package Add-ProvisioningPackage [-Path] <string> [-ForceInstall] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]Add-ProvisioningPackage Apply a provisioning package Add-ProvisioningPackage [-Path] <string> [-ForceInstall] [-LogsFolder <string>] [-QuietInstall] [-WprpFile <string>] [<CommonParameters>]Remove-ProvisioningPackage Remove a provisioning package Remove-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Remove-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Get-ProvisioningPackage Get information about an installed provisioning package Get-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Get-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Export-ProvisioningPackage Extract the contents of a provisioning package Export-ProvisioningPackage -PackageId <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Export-ProvisioningPackage -Path <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
-
-### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business
-
-**Configuration:**
-
-- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled)
-- Device is also configured to be managed by WSUS
-- Admin has opted to put Windows Update drivers on WSUS
-
-
-Content Metadata source Payload source Deferred?
- Updates to Windows Windows Update Windows Update Yes 
Updates to Office and other products WSUS WSUS No Third-party drivers WSUS WSUS No
-
-### Configuration example \#3: Device configured to receive Microsoft updates
-
-**Configuration:**
-
-- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
-- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
-- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server
-
-In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
-- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
-- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
-
-
-Content Metadata source Payload source Deferred?
- Updates to Windows (excluding drivers) Windows Update Windows Update Yes 
Updates to Office and other products WSUS WSUS No Drivers WSUS WSUS No
-
->[!NOTE]
-> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
-
-## Integrate Windows Update for Business with System Center Configuration Manager
-
-For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
-
-
-
-For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
-
+---
+title: Integrate Windows Update for Business with management solutions (Windows 10)
+description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.author: greglin
+ms.date: 07/27/2017
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Integrate Windows Update for Business with management solutions
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+
+## Integrate Windows Update for Business with Windows Server Update Services
+
+
+For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
+
+- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
+- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
+
+### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates using Windows Update for Business
+- Device is also configured to be managed by WSUS
+- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
+- Admin has opted to put updates to Office and other products on WSUS
+- Admin has also put 3rd party drivers on WSUS
+
+Content Metadata source Payload source Deferred?
- Updates to Windows (excluding drivers) Microsoft Update Microsoft Update Yes 
Updates to Office and other products Microsoft Update Microsoft Update No Drivers, third-party applications WSUS WSUS No
+
+### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled)
+- Device is also configured to be managed by WSUS
+- Admin has opted to put Windows Update drivers on WSUS
+
+
+Content Metadata source Payload source Deferred?
+ Updates to Windows Windows Update Windows Update Yes Updates to Office and other products WSUS WSUS No Third-party drivers WSUS WSUS No
+
+### Configuration example \#3: Device configured to receive Microsoft updates
+
+**Configuration:**
+
+- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
+- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
+- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server
+
+In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
+- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
+- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
+
+
+Content Metadata source Payload source Deferred?
+ Updates to Windows (excluding drivers) Windows Update Windows Update Yes Updates to Office and other products WSUS WSUS No Drivers WSUS WSUS No
+
+>[!NOTE]
+> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
+
+## Integrate Windows Update for Business with System Center Configuration Manager
+
+For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
+
+
+
+For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index 13b782b7e4..5ab254f79d 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -1,334 +1,332 @@
----
-title: Deploy Windows 10 updates using System Center Configuration Manager (Windows 10)
-description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 10/16/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Deploy Windows 10 updates using System Center Configuration Manager
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-
-System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
-
-You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
-
->[!NOTE]
->This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
-
-## Windows 10 servicing dashboard
-
-The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
-
-For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
-
-- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
-- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
-- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
-- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
-
- **To configure Upgrade classification**
-
- 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
-
- 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
-
- 
-
- 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
-
-When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
-
-## Create collections for deployment rings
-
-Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.
-
->[!NOTE]
->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
-
-**To create collections for deployment rings**
-
-1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
-
-2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
-
-3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**.
-
-4. Click **Browse** to select the limiting collection, and then click **All Systems**.
-
-5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
-
-6. Name the rule **CBB Detection**, and then click **Edit Query Statement**.
-
-7. On the **Criteria** tab, click the **New** icon.
-
- 
-
-8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
-
-9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
-
- 
-
- >[!NOTE]
- >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
-
-10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
-
- 
-
-11. Now that the **OSBranch** attribute is correct, verify the operating system version.
-
-12. On the **Criteria** tab, click the **New** icon again to add criteria.
-
-13. In the **Criterion Properties** dialog box, click **Select**.
-
-14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
-
- 
-
-15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**.
-
- 
-
-16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
-
-17. Click **Summary**, and then click **Next**.
-
-18. Close the wizard.
-
->[!IMPORTANT]
->Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
-
-After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences.
-
-1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
-
-2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
-
-3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**.
-
-4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**.
-
-5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
-
-6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
-
-7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
-
-8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**.
-
-9. Click **Next**, and then click **Close**.
-
-10. In the **Create Device Collection Wizard** dialog box, click **Summary**.
-
-11. Click **Next**, and then click **Close**.
-
-
-## Use Windows 10 servicing plans to deploy Windows 10 feature updates
-
-There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
-
-**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
-
-1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
-
-2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
-
-3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**.
-
-4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
-
- >[!IMPORTANT]
- >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
- >
- >
- >
- >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
-
-5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
-
- Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB.
-
- On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
-
-6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
-
-7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
-
-8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
-
- Doing so allows installation and restarts after the 7-day deadline on workstations only.
-
-9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
-
- In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
-
- 
-
-10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
-
- 
-
- Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**.
-
-11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
-
-
-You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab.
-
-
-
-
-## Use a task sequence to deploy Windows 10 updates
-
-There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
-
-- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
-- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
-
-Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
-
-2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
-
-3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
-
- In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
-
- >[!NOTE]
- >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
-
-4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
-
-5. On the **Summary** page, click **Next** to create the package.
-
-6. On the **Completion** page, click **Close**.
-
-Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package.
-
-2. On the Ribbon, in the **Deployment group**, click **Distribute Content**.
-
-3. In the Distribute Content Wizard, on the **General** page, click **Next**.
-
-4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
-
-5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
-
-6. On the **Content Destination** page, click **Next**.
-
-7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
-
-8. On the **Completion** page, click **Close**.
-
-Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
-
-2. On the Ribbon, in the **Create** group, click **Create Task Sequence**.
-
-3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
-
-4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**.
-
-5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
-
-6. Click **Next**.
-
-7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**.
-
-8. On the **Install Applications** page, click **Next**.
-
-9. On the **Summary** page, click **Next** to create the task sequence.
-
-10. On the **Completion** page, click **Close**.
-
-With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**.
-
->[!IMPORTANT]
->This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully.
-
-**To deploy your task sequence**
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence.
-
-2. On the Ribbon, in the **Deployment** group, click **Deploy**.
-
-3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
-
-4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
-
-5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
-
-6. In the **Assignment Schedule** dialog box, click **Schedule**.
-
-7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
-
-8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
-
-9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
-
-10. Use the defaults for the remaining settings.
-
-11. Click **Summary**, and then click **Next** to deploy the task sequence.
-
-12. Click **Close**.
-
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
-
-## See also
-
-[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage device restarts after updates](waas-restart.md)
-
+---
+title: Deploy Windows 10 updates using System Center Configuration Manager (Windows 10)
+description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Deploy Windows 10 updates using System Center Configuration Manager
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
+
+System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
+
+You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
+
+>[!NOTE]
+>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
+
+## Windows 10 servicing dashboard
+
+The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
+
+For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
+
+- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
+- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
+- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
+- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
+
+ **To configure Upgrade classification**
+
+ 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
+
+ 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
+
+ 
+
+ 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
+
+When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
+
+## Create collections for deployment rings
+
+Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+**To create collections for deployment rings**
+
+1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**.
+
+4. Click **Browse** to select the limiting collection, and then click **All Systems**.
+
+5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
+
+6. Name the rule **CBB Detection**, and then click **Edit Query Statement**.
+
+7. On the **Criteria** tab, click the **New** icon.
+
+ 
+
+8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
+
+9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
+
+ 
+
+ >[!NOTE]
+ >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
+
+10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
+
+ 
+
+11. Now that the **OSBranch** attribute is correct, verify the operating system version.
+
+12. On the **Criteria** tab, click the **New** icon again to add criteria.
+
+13. In the **Criterion Properties** dialog box, click **Select**.
+
+14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
+
+ 
+
+15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**.
+
+ 
+
+16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
+
+17. Click **Summary**, and then click **Next**.
+
+18. Close the wizard.
+
+>[!IMPORTANT]
+>Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
+
+After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences.
+
+1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**.
+
+4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**.
+
+5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
+
+6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
+
+7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
+
+8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**.
+
+9. Click **Next**, and then click **Close**.
+
+10. In the **Create Device Collection Wizard** dialog box, click **Summary**.
+
+11. Click **Next**, and then click **Close**.
+
+
+## Use Windows 10 servicing plans to deploy Windows 10 feature updates
+
+There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
+
+**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
+
+1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
+
+2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
+
+3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**.
+
+4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
+
+ >[!IMPORTANT]
+ >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
+ >
+ >
+ >
+ >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
+
+5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
+
+ Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB.
+
+ On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
+
+6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
+
+7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
+
+8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
+
+ Doing so allows installation and restarts after the 7-day deadline on workstations only.
+
+9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
+
+ In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
+
+ 
+
+10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
+
+ 
+
+ Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**.
+
+11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
+
+
+You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab.
+
+
+
+
+## Use a task sequence to deploy Windows 10 updates
+
+There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
+
+- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
+- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
+
+Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
+
+2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
+
+3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
+
+ In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
+
+ >[!NOTE]
+ >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
+
+4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
+
+5. On the **Summary** page, click **Next** to create the package.
+
+6. On the **Completion** page, click **Close**.
+
+Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package.
+
+2. On the Ribbon, in the **Deployment group**, click **Distribute Content**.
+
+3. In the Distribute Content Wizard, on the **General** page, click **Next**.
+
+4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
+
+5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
+
+6. On the **Content Destination** page, click **Next**.
+
+7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
+
+8. On the **Completion** page, click **Close**.
+
+Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
+
+2. On the Ribbon, in the **Create** group, click **Create Task Sequence**.
+
+3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
+
+4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**.
+
+5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
+
+6. Click **Next**.
+
+7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**.
+
+8. On the **Install Applications** page, click **Next**.
+
+9. On the **Summary** page, click **Next** to create the task sequence.
+
+10. On the **Completion** page, click **Close**.
+
+With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**.
+
+>[!IMPORTANT]
+>This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully.
+
+**To deploy your task sequence**
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence.
+
+2. On the Ribbon, in the **Deployment** group, click **Deploy**.
+
+3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
+
+4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
+
+5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
+
+6. In the **Assignment Schedule** dialog box, click **Schedule**.
+
+7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
+
+8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
+
+9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
+
+10. Use the defaults for the remaining settings.
+
+11. Click **Summary**, and then click **Next** to deploy the task sequence.
+
+12. Click **Close**.
+
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
+
+## See also
+
+[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage device restarts after updates](waas-restart.md)
+
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index f9c378860b..cda79baf8e 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -1,360 +1,356 @@
----
-title: Deploy Windows 10 updates using Windows Server Update Services (Windows 10)
-description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 10/16/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Deploy Windows 10 updates using Windows Server Update Services (WSUS)
-
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-
-WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
-
-When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
-
-
-
-## Requirements for Windows 10 servicing with WSUS
-
-To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server.
-
-## WSUS scalability
-
-To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
-
-
-## Express Installation Files
-
-With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
-
- At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered.
-
- **To configure WSUS to download Express Update Files**
-
-1. Open the WSUS Administration Console.
-
-2. In the navigation pane, go to *Your_Server*\\**Options**.
-
-3. In the **Options** section, click **Update Files and Languages**.
-
- 
-
-4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
-
- 
-
- >[!NOTE]
- >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative.
-
-## Configure automatic updates and update service location
-
-When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain.
-
-**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
-
-1. Open GPMC.
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
-
- 
-
- >[!NOTE]
- >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
-
-4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**.
-
-5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
-
-6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
-
-7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
-
- 
-
-8. In the **Configure Automatic Updates** dialog box, select **Enable**.
-
-9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
-
- 
-
- > [!NOTE]
- > ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
-
-10. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**.
-
-11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
-
-12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then click **OK**.
-
- >[!NOTE]
- >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
-
- 
-
- >[!NOTE]
- >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
-
-As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
-
-## Create computer groups in the WSUS Administration Console
-
->[!NOTE]
->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
-
-You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
-
-**To create computer groups in the WSUS Administration Console**
-
-1. Open the WSUS Administration Console.
-
-2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
-
- 
-
-3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
-
-4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups.
-
-Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
-
-
-## Use the WSUS Administration Console to populate deployment rings
-
-Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
-
-In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
-
-### Manually assign unassigned computers to groups
-
-When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups.
-
-**To assign computers manually**
-
-1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
-
- Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
-
-2. Select both computers, right-click the selection, and then click **Change Membership**.
-
- 
-
-3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
-
- Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
-
-### Search for multiple computers to add to groups
-
-Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature.
-
-**To search for multiple computers**
-
-1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
-
-2. In the search box, type **WIN10**.
-
-3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
-
- 
-
-4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
-
-You can now see these computers in the **Ring 3 Broad IT** computer group.
-
-
-
-## Use Group Policy to populate deployment rings
-
-The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.
-
-**To configure WSUS to allow client-side targeting from Group Policy**
-
-1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
-
- 
-
-2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
-
- >[!NOTE]
- >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
-
-Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
-
-**To configure client-side targeting**
-
->[!TIP]
->When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
-
-1. Open GPMC.
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
-
-4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO.
-
-5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
-
- 
-
-6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
-
-7. Right-click **Enable client-side targeting**, and then click **Edit**.
-
-8. In the **Enable client-side targeting** dialog box, select **Enable**.
-
-9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
-
- 
-
-10. Close the Group Policy Management Editor.
-
-Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
-
-**To scope the GPO to a group**
-
-1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy.
-
-2. Click the **Scope** tab.
-
-3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
-
- 
-
-The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
-
-## Automatically approve and deploy feature updates
-
-For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
-
->[!NOTE]
->WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
-
-**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
-
-1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
-
-2. On the **Update Rules** tab, click **New Rule**.
-
-3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
-
- 
-
-4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
-
-5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
-
- Windows 10 is under All Products\Microsoft\Windows.
-
-6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
-
-7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
-
-8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
-
- 
-
-9. In the **Automatic Approvals** dialog box, click **OK**.
-
- >[!NOTE]
- >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
-
-Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
-
-## Manually approve and deploy feature updates
-
-You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
-
-**To approve and deploy feature updates manually**
-
-1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
-
-2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
-
-3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
-
-4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
-
- Windows 10 is under All Products\Microsoft\Windows.
-
-5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
-
- 
-
-Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
-
-1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
-
-2. Right-click the feature update you want to deploy, and then click **Approve**.
-
- 
-
-3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
-
- 
-
-4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
-
- 
-
-5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
-
- If the deployment is successful, you should receive a successful progress report.
-
- 
-
-6. In the **Approval Progress** dialog box, click **Close**.
-
-
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
-
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Deploy Windows 10 updates using Windows Server Update Services (Windows 10)
+description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Deploy Windows 10 updates using Windows Server Update Services (WSUS)
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
+
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
+
+When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
+
+
+
+## Requirements for Windows 10 servicing with WSUS
+
+To be able to use WSUS to manage and deploy Windows 10 feature updates, you must use a supported WSUS version:
+- WSUS 10.0.14393 (role in Windows Server 2016)
+- WSUS 10.0.17763 (role in Windows Server 2019)
+- WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
+- KB 3095113 and KB 3159706 (or an equivalent update) must be installed on WSUS 6.2 and 6.3.
+
+> [!IMPORTANT]
+> Both [KB 3095113](https://support.microsoft.com/kb/3095113) and [KB 3159706](https://support.microsoft.com/kb/3159706) are included in the **Security Monthly Quality Rollup** starting in July 2017. This means you might not see KB 3095113 and KB 3159706 as installed updates since they might have been installed with a rollup. However, if you need either of these updates, we recommend installing a **Security Monthly Quality Rollup** released after **October 2017** since they contain an additional WSUS update to decrease memory utilization on WSUS's clientwebservice.
+>If you have synced either of these updates prior to the security monthly quality rollup, you can experience problems. To recover from this, see [How to Delete Upgrades in WSUS](https://blogs.technet.microsoft.com/wsus/2016/01/29/how-to-delete-upgrades-in-wsus/).
+
+
+## WSUS scalability
+
+To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
+
+
+
+
+## Configure automatic updates and update service location
+
+When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain.
+
+**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
+
+1. Open Group Policy Management Console (gpmc.msc).
+
+2. Expand *Forest\Domains\\*Your_Domain**.
+
+3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
+
+ 
+
+ >[!NOTE]
+ >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
+
+4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**.
+
+5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
+
+ 
+
+8. In the **Configure Automatic Updates** dialog box, select **Enable**.
+
+9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+
+ 
+
+ > [!NOTE]
+ > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
+
+10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**.
+
+11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
+
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select **OK**.
+
+ >[!NOTE]
+ >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
+
+ 
+
+ >[!NOTE]
+ >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
+
+As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
+
+## Create computer groups in the WSUS Administration Console
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
+
+**To create computer groups in the WSUS Administration Console**
+
+1. Open the WSUS Administration Console.
+
+2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
+
+ 
+
+3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
+
+4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups.
+
+Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
+
+
+
+## Use the WSUS Administration Console to populate deployment rings
+
+Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
+
+In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
+
+### Manually assign unassigned computers to groups
+
+When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups.
+
+**To assign computers manually**
+
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
+
+ Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
+
+2. Select both computers, right-click the selection, and then click **Change Membership**.
+
+ 
+
+3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
+
+ Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
+
+### Search for multiple computers to add to groups
+
+Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature.
+
+**To search for multiple computers**
+
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
+
+2. In the search box, type **WIN10**.
+
+3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
+
+ 
+
+4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
+
+You can now see these computers in the **Ring 3 Broad IT** computer group.
+
+
+
+## Use Group Policy to populate deployment rings
+
+The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.
+
+**To configure WSUS to allow client-side targeting from Group Policy**
+
+1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
+
+ 
+
+2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
+
+ >[!NOTE]
+ >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
+
+Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
+
+**To configure client-side targeting**
+
+>[!TIP]
+>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
+
+1. Open Group Policy Management Console (gpmc.msc).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO.
+
+5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7. Right-click **Enable client-side targeting**, and then click **Edit**.
+
+8. In the **Enable client-side targeting** dialog box, select **Enable**.
+
+9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added.
+
+ 
+
+> [!WARNING]
+> The target group name must match the computer group name.
+
+10. Close the Group Policy Management Editor.
+
+Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
+
+**To scope the GPO to a group**
+
+1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy.
+
+2. Click the **Scope** tab.
+
+3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
+
+ 
+
+The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
+
+## Automatically approve and deploy feature updates
+
+For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
+
+>[!NOTE]
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel, the devices in the Semi-Annual Channel will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+
+
+**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
+
+2. On the **Update Rules** tab, click **New Rule**.
+
+3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
+
+ 
+
+4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
+
+5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+ Windows 10 is under All Products\Microsoft\Windows.
+
+6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
+
+7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
+
+8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
+
+ 
+
+9. In the **Automatic Approvals** dialog box, click **OK**.
+
+ >[!NOTE]
+ >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+
+Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+
+> [!WARNING]
+> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actualy want--which can be a problem when the download sizes are very large.
+
+## Manually approve and deploy feature updates
+
+You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. It might be best to approve update rules manually after your pilot deployment has been updated.
+
+To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+
+**To approve and deploy feature updates manually**
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
+
+2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
+
+3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
+
+4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+ Windows 10 is under All Products\Microsoft\Windows.
+
+5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
+
+ 
+
+Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
+
+2. Right-click the feature update you want to deploy, and then click **Approve**.
+
+ 
+
+3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
+
+ 
+
+4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
+
+ 
+
+5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
+
+ If the deployment is successful, you should receive a successful progress report.
+
+ 
+
+6. In the **Approval Progress** dialog box, click **Close**.
+
+
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 60a512e49c..b80b9132c8 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -126,7 +126,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
index a968d2c48c..73652f10a9 100644
--- a/windows/deployment/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -1,94 +1,78 @@
----
-title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10)
-description: tbd
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 07/27/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile
-
-
-**Applies to**
-
-- Windows 10 Mobile
-- [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot)
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!TIP]
->If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first.
-
-Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
-
-[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
-
-
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-
-| Windows 10 edition | CB | CBB | Insider Program |
-| --- | --- | --- | --- | --- |
-| Mobile |  |  |  |
-| Mobile Enterprise |  |  |  |
-| IoT Mobile |  |  |  |
-
-
-
-Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile.
-
-## Windows 10, version 1511
-
-Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
-
-- ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
-- ../Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod
-- ../Vendor/MSFT/Policy/Config/Update/PauseDeferrals
-
-To defer the update period or pause deferrals, the device must be configured for CBB servicing branch by applying the **RequireDeferredUpgrade** policy.
-
-## Windows 10, version 1607
-
-Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
-
-- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
-- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays
-- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates
-
-In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches.
-
-If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, version 1511, has Windows Update for Business policies applied and is then updated to version 1607, version 1511 policies continue to apply until version 1607 policies are applied.
-
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
-
-
-
+---
+title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile
+
+
+**Applies to**
+
+- Windows 10 Mobile
+- [Windows 10 IoT Mobile](https://www.microsoft.com/WindowsForBusiness/windows-iot)
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!TIP]
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first.
+
+Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual Channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program).
+
+[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
+
+
+
+| Windows 10 edition | Semi-annual Channel | Insider Program |
+| --- | --- | --- | --- |
+| Mobile |  |  |
+| Mobile Enterprise |  |  |
+| IoT Mobile |  |  |
+
+
+
+Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to quality updates only. That is, Windows Mobile feature updates are categorized the same as quality updates, and can only be deferred by setting the quality update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile.
+
+
+## Windows 10, version 1607
+
+Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
+
+- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
+- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays
+- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates
+
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
+
+
+
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index b1122abef6..bf740f50c0 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -37,7 +37,7 @@ Here's more news about [Windows as a service](windows-as-a-service.md):
Content Metadata source Payload source Deferred?
+ Updates to Windows (excluding drivers) Microsoft Update Microsoft Update Yes Updates to Office and other products Microsoft Update Microsoft Update No Drivers, third-party applications WSUS WSUS No
There is no equivalent MDM policy setting for Windows 10 Mobile. |
-| Re-prompt for restart with scheduled installations |  | |
-| Delay Restart for scheduled installations |  | |
-| Reschedule Automatic Updates scheduled installations |  | |
-
->[!NOTE]
->You can only choose one path for restart behavior.
->If you set conflicting restart policies, the actual restart behavior may not be what you expected.
->When using RDP, only active RDP sessions are considered as logged on users.
-
-
-## Registry keys used to manage restart
-The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
-
-**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
-
-| Registry key | Key type | Value |
-| --- | --- | --- |
-| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
-| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
-| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours1: enable automatic restart after updates outside of active hours |
-
-**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
-
-| Registry key | Key type | Value |
-| --- | --- | --- |
-| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time1: enable automatic reboot after update installation at ascheduled time |
-| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
-| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates3: automatically download and notify for installation of updates4: Automatically download and schedule installation of updates5: allow the local admin to configure these settings**Note:** To configure restart behavior, set this value to **4** |
-| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on1: do not reboot after an update installation if a user is logged on**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
-| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
-
-There are 3 different registry combinations for controlling restart behavior:
-
-- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
-- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
-- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+---
+title: Manage device restarts after updates (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Manage device restarts after updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+
+## Schedule update installation
+
+In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
+
+To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+
+**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
+
+While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
+
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+## Delay automatic reboot
+
+When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation:
+
+- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
+- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
+
+> [!NOTE]
+> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
+
+You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
+
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+## Configure active hours
+
+*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
+
+By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
+
+Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time.
+
+Administrators can use multiple ways to set active hours for managed devices:
+
+- You can use Group Policy, as described in the procedure that follows.
+- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
+- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
+
+### Configuring active hours with Group Policy
+
+To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
+
+
+
+### Configuring active hours with MDM
+
+MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
+
+### Configuring active hours through Registry
+
+This method is not recommended, and should only be used when neither Group Policy or MDM are available.
+Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
+
+You should set a combination of the following registry values, in order to configure active hours.
+Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
+
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+
+>[!NOTE]
+>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
+>
+>
+
+### Configuring active hours max range
+
+With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time.
+
+To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**.
+
+To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange).
+
+## Limit restart delays
+
+After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
+
+## Control restart notifications
+
+In Windows 10, version 1703, we have added settings to control restart notifications for users.
+
+### Auto-restart notifications
+
+Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically.
+
+To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
+
+To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal)
+
+You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes.
+
+To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
+
+To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartNotificationSchedule).
+
+
+In some cases, you don't need a notification to show up.
+
+To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**.
+
+To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-setautorestartnotificationdisable).
+
+### Scheduled auto-restart warnings
+
+Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
+
+To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
+
+In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleImminentRestartWarning).
+
+### Engaged restart
+
+Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts.
+
+The following settings can be adjusted for engaged restart:
+* Period of time before auto-restart transitions to engaged restart.
+* The number of days that users can snooze engaged restart reminder notifications.
+* The number of days before a pending restart automatically executes outside of working hours.
+
+In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**.
+
+In MDM, use [**Update/EngagedRestartTransitionSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartDeadline) respectively.
+
+## Group Policy settings for restart
+
+In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
+
+| Policy | Applies to Windows 10 | Notes |
+| --- | --- | --- |
+| Turn off auto-restart for updates during active hours |  | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| Always automatically restart at the scheduled time |  | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
+| Specify deadline before auto-restart for update installation |  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| No auto-restart with logged on users for scheduled automatic updates installations |  | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates.
There is no equivalent MDM policy setting for Windows 10 Mobile. |
+| Re-prompt for restart with scheduled installations |  | |
+| Delay Restart for scheduled installations |  | |
+| Reschedule Automatic Updates scheduled installations |  | |
+
+>[!NOTE]
+>You can only choose one path for restart behavior.
+>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
+>When using RDP, only active RDP sessions are considered as logged on users.
+
+
+## Registry keys used to manage restart
+The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
+
+**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
+
+| Registry key | Key type | Value |
+| --- | --- | --- |
+| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours1: enable automatic restart after updates outside of active hours |
+
+**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
+
+| Registry key | Key type | Value |
+| --- | --- | --- |
+| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time1: enable automatic reboot after update installation at ascheduled time |
+| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
+| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates3: automatically download and notify for installation of updates4: Automatically download and schedule installation of updates5: allow the local admin to configure these settings**Note:** To configure restart behavior, set this value to **4** |
+| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on1: do not reboot after an update installation if a user is logged on**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
+| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
+
+There are 3 different registry combinations for controlling restart behavior:
+
+- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
+- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
+- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index d58eb30284..2375cfd6b8 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,228 +1,193 @@
----
-title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
-description: tbd
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 10/13/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Assign devices to servicing channels for Windows 10 updates
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!TIP]
->If you're not familiar with the Windows 10 servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first.
->
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products.
-
-Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
-
-| Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
-| --- | --- | --- | --- | --- |
-| Home |  |  |  |  |
-| Pro |  |  |  |  |
-| Enterprise |  |  |  |  |
-| Enterprise LTSB |  |  |  |  |
-| Pro Education |  |  |  |  |
-| Education |  |  |  |  |
-| Mobile |  |  |  |  |
-| Mobile Enterprise |  |  |  |  |
-
-
-
->[!NOTE]
->The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-
->[!NOTE]
->Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel.
-
-## Assign devices to Semi-Annual Channel
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-
-**To assign a single PC locally to CBB**
-
-1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
-2. Select **Defer feature updates**.
-
-**To assign PCs to CBB using Group Policy**
-
-- In Windows 10, version 1511:
-
- Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates**
-
-- In Windows 10, version 1607:
-
- Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to CBB
-
-**To assign PCs to CBB using MDM**
-
-- In Windows 10, version 1511:
-
- ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade**
-
-- In Windows 10, version 1607:
-
- ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel**
-
-**To assign Windows 10 Mobile Enterprise to CBB using MDM**
-
-- In Windows 10 Mobile Enterprise, version 1511:
-
- ../Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade
-
-- In Windows 10 Mobile Enterprise, version 1607:
-
- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
-
-## Enroll devices in the Windows Insider Program
-
-To get started with the Windows Insider Program for Business, you will need to follow a few simple steps:
-
-1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/).
-2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
-3. Make sure the **Allow Telemetry** setting is set to **2** or higher.
-4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery:
-
-The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
-* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
-* MDM: **Update/ManagePreviewBuilds**
-
-The **Branch Readiness Level** settings allows you to choose between preview flight rings, and allows you to defer or pause the delivery of updates.
-* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
-* MDM: **Update/BranchReadinessLevel**
-
-For more information, see [Windows Insider Program for Business](waas-windows-insider-for-business.md)
-
-## Block access to Windows Insider Program
-
-To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
-
-- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
-- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
-
->[!IMPORTANT]
->Starting with Windows 10, version 1709, this policy is replaced by **Manage preview builds** policy.
-> * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
-> * MDM: **Update/ManagePreviewBuilds**
-
-
-## Switching channels
-
-During the life of a device, it may be necessary or desirable to switch between the available channels. Depending on the channel you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
-
-
-
-
-## Block user access to Windows Update settings
-
-In Windows 10, administrators can control user access to Windows Update.
-By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
-
->[!NOTE]
-> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | Assign devices to servicing channels for Windows 10 updates (this topic) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Assign devices to servicing channels for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!TIP]
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first.
+>
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
+The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
+
+| Windows 10 edition | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
+| --- | --- | --- | --- |
+| Home |  |  |  |
+| Pro |  |  |  |
+| Enterprise |  |  |  |
+| Enterprise LTSB |  |  |  |
+| Pro Education |  |  |  |
+| Education |  |  |  |
+| Mobile |  |  |  |
+| Mobile Enterprise |  |  |  |
+
+
+
+>[!NOTE]
+>The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+
+
+
+## Assign devices to Semi-Annual Channel
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
+**To assign a single devices locally to the Semi-Annual Channel**
+
+1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
+2. Select **Defer feature updates**.
+
+**To assign devicess to the Semi-Annual Channel by using Group Policy**
+
+
+- In Windows 10, version 1607 and later releases:
+
+ Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to the Semi-Annual Channel
+
+**To assign devicess to to the Semi-Annual Channel by using MDM**
+
+
+- In Windows 10, version 1607 and later releases:
+
+ ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel**
+
+**To assign Windows 10 Mobile Enterprise devices to the Semi-Annual Channel by using MDM**
+
+
+- In Windows 10 Mobile Enterprise, version 1607 and later releases:
+
+ ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
+
+## Enroll devices in the Windows Insider Program
+
+To get started with the Windows Insider Program for Business, you will need to follow a few simple steps:
+
+1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/).
+2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
+3. Make sure the **Allow Telemetry** setting is set to **2** or higher.
+4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery:
+
+The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
+* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
+* MDM: **Update/ManagePreviewBuilds**
+
+The **Branch Readiness Level** settings allows you to choose between preview flight rings, and allows you to defer or pause the delivery of updates.
+* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
+* MDM: **Update/BranchReadinessLevel**
+
+For more information, see [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+
+## Block access to Windows Insider Program
+
+To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
+
+- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
+- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
+
+>[!IMPORTANT]
+>Starting with Windows 10, version 1709, this policy is replaced by **Manage preview builds** policy.
+> * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
+> * MDM: **Update/ManagePreviewBuilds**
+
+
+## Switching channels
+
+During the life of a device, it might be necessary or desirable to switch between the available channels. Depending on the channel you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
+
+
-
-
-
-From this channel
-To this channel
-You need to
-
-
-Windows Insider Program
-Semi-Annual Channel (Targeted)
-Wait for the final Semi-Annual Channel release.
-
-
-Semi-Annual Channel
-Not directly possible, because Windows Insider Program devices are automatically upgraded to the Semi-Annual Channel (Targeted) release at the end of the development cycle.
-
-
-Long-Term Servicing Channel
-Not directly possible (requires wipe-and-load).
-
-
-Semi-Annual Channel (Targeted)
-Insider
-Use the Settings app to enroll the device in the Windows Insider Program.
-
-
-Semi-Annual Channel
-Select the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Semi-Annual Channel release.
-
-
-Long-Term Servicing Channel
-Not directly possible (requires wipe-and-load).
-
-
-Semi-Annual Channel
-Insider
-Use the Settings app to enroll the device in the Windows Insider Program.
-
-
-Semi-Annual Channel (Targeted)
-Disable the Defer upgrade setting, or move the device to a target group or flight that will receive the latest Current Semi-Annual Channel release.
-
-
-Long-Term Servicing Channel
-Not directly possible (requires wipe-and-load).
-
-
-Long-Term Servicing Channel
-Insider
-Use media to upgrade to the latest Windows Insider Program build.
-
-
-Semi-Annual Channel (Targeted)
-Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
-
-
-
-Semi-Annual Channel
-Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
-
+
+
+## Block user access to Windows Update settings
+
+In Windows 10, administrators can control user access to Windows Update.
+By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
+
+>[!NOTE]
+> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | Assign devices to servicing channels for Windows 10 updates (this topic) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index 4e7773bbf9..1b5f466c3f 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -1,119 +1,127 @@
----
-title: Servicing differences between Windows 10 and older operating systems
-ms.reviewer:
-manager: laurawi
-description: Learn the differences between servicing Windows 10 and servicing older operating systems.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.topic: article
-ms.collection: M365-modern-desktop
----
-# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems
-
-> Applies to: Windows 10
->
-> **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.**
-
-Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates.
-
-The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).
-
->[!NOTE]
->A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc.
-
-## Infinite fragmentation
-Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates.
-
-As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft.
-
-This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
-
-## Windows 10 – Next generation
-Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation.
-
-This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU.
-
-Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
-
-
-
-*Figure 1.0 - High level cumulative update model*
-
-Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
-
-This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10.
-
-### Points to consider
-
-- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new.
-- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.)
-- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
-- For Windows 10, available update types vary by publishing channel:
- - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
- - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS. Servicing Stack Updates (SSU) will be synced automatically (See this example for Windows 10, version 1709). Learn more about [Servicing Stack Updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
- - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
-- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
-
-## Windows 7 and legacy OS versions
-While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016.
-
-Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems.
-
-The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month’s Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
-
-
-*Figure 2.0 - Legacy OS security-only update model*
-
-Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft’s test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
-
-### Points to consider
-- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages.
-- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.)
-- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security required" updates, because both have the full set of security updates in them. The Monthly Rollup may have additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed.
-- Given the differences between the cumulative Monthly Rollups and the single-month Security-only update packages, switching between these update types is not advised. Differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type with high consistency – Monthly Rollup or Security-only – is recommended.
-- With all Legacy OS versions now in the Extended Support stage of their 10-year lifecycle, they typically receive only security updates for both Monthly Rollup and Security Only updates. Using Express for the Monthly Rollup results in almost the same package size as Security Only, with the added confidence of ensuring all relevant updates are installed.
-- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback.
-- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup.
-- [Updates for .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated.
-- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version.
-
-## Public preview releases
-Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
-
-### Examples
-Windows 10 version 1709:
-- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot.
-- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required.
-- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
-All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models.
-
-
-*Figure 3.0 - Preview releases within the Windows 10 LCU model*
-
-## Previews vs. on-demand releases
-In 2018, we experienced incidents which required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
-
-As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month’s Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
-
-### Point to consider
-- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
-- Rarely do incidents with Update Tuesday releases impact more than .1% of the total population. With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however.
-- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices.
-- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way.
-
-In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure.
-
-## Resources
-- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530)
-- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772)
-- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783)
-- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/)
-- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798)
-- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/)
-- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376)
-- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434)
+---
+title: Servicing differences between Windows 10 and older operating systems
+ms.reviewer:
+manager: laurawi
+description: Learn the differences between servicing Windows 10 and servicing older operating systems.
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.audience: itpro
+author: greg-lindsay
+ms.topic: article
+ms.collection: M365-modern-desktop
+---
+# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems
+
+> Applies to: Windows 10
+>
+> **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.**
+
+Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need to understand how best to leverage a modern workplace to support system updates.
+
+The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).
+
+> [!NOTE]
+> A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc.
+
+## Infinite fragmentation
+Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates.
+
+As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft.
+
+This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
+
+## Windows 10 – Next generation
+Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation.
+
+This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU.
+
+Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
+
+
+
+*Figure 1.0 - High level cumulative update model*
+
+Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
+
+This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10.
+
+### Points to consider
+
+- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new.
+- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.)
+- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
+- For Windows 10, available update types vary by publishing channel:
+ - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
+ - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS. Servicing Stack Updates (SSU) will be synced automatically (See this example for Windows 10, version 1709). Learn more about [Servicing Stack Updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
+ - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
+- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
+
+## Windows 7 and legacy OS versions
+While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016.
+
+Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems.
+
+The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month’s Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
+
+
+*Figure 2.0 - Legacy OS security-only update model*
+
+Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft’s test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
+
+### Points to consider
+- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages.
+- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.)
+- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security required" updates, because both have the full set of security updates in them. The Monthly Rollup may have additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed.
+- Given the differences between the cumulative Monthly Rollups and the single-month Security-only update packages, switching between these update types is not advised. Differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type with high consistency – Monthly Rollup or Security-only – is recommended.
+- With all Legacy OS versions now in the Extended Support stage of their 10-year lifecycle, they typically receive only security updates for both Monthly Rollup and Security Only updates. Using Express for the Monthly Rollup results in almost the same package size as Security Only, with the added confidence of ensuring all relevant updates are installed.
+- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback.
+- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup.
+- [Updates for .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated.
+- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version.
+
+## Public preview releases
+Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
+
+> [!NOTE]
+> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as System Center Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10.
+
+> [!NOTE]
+> Preview updates for Windows 10 are not named differently than their LCU counterparts and do not contain the word 'Preview'. They can be identified by their release date (C or D week) and their classification as non-security updates.
+
+### Examples
+Windows 10 version 1709:
+- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot.
+- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required.
+- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
+All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models.
+
+
+*Figure 3.0 - Preview releases within the Windows 10 LCU model*
+
+## Previews vs. on-demand releases
+In 2018, we experienced incidents which required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
+
+As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month’s Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
+
+### Point to consider
+- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
+- Rarely do incidents with Update Tuesday releases impact more than .1% of the total population. With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however.
+- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices.
+- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way.
+
+In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure.
+
+## Resources
+- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530)
+- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772)
+- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783)
+- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/)
+- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798)
+- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/)
+- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376)
+- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434)
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 2162d1aafa..32e06ed8f5 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -1,74 +1,73 @@
----
-title: Prepare servicing strategy for Windows 10 updates (Windows 10)
-description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 11/02/2018
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Prepare servicing strategy for Windows 10 updates
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
-
-
-
-
-Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
-
-- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
-- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
-- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
-- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
-- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
-- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
-
->[!NOTE]
->This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
->
->>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
-
-Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
-
-1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
-2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
-3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
-
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | Prepare servicing strategy for Windows 10 updates (this topic) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Prepare servicing strategy for Windows 10 updates (Windows 10)
+description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Prepare servicing strategy for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
+
+
+
+
+Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
+
+- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
+- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
+- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
+- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
+
+>[!NOTE]
+>This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
+>
+>>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+
+Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
+
+1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
+2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
+3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
+
+
+## Steps to manage updates for Windows 10
+
+| | |
+| --- | --- |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
+|  | Prepare servicing strategy for Windows 10 updates (this topic) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index d38b3d01e4..2b84969903 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -1,262 +1,263 @@
----
-title: Manage additional Windows Update settings (Windows 10)
-description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Manage additional Windows Update settings
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
-
->[!IMPORTANT]
->In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
-
-## Summary of Windows Update settings
-
-| Group Policy setting | MDM setting | Supported from version |
-| --- | --- | --- |
-| [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All |
-| [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 |
-| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All |
-| [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All |
-| [Enable client-side targeting](#enable-client-side-targeting) | | All |
-| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
-| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
-| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
-
->[!IMPORTANT]
->Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
->
->Additional settings that configure when Feature and Quality updates are received are detailed on **[Configure Windows Update for Business](waas-configure-wufb.md)**.
-
-## Scanning for updates
-
-With Windows 10, admins have a lot of flexibility in configuring how their devices scan and receive updates.
-
-[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them to option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
-
-You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
-
-Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
-
-For additional settings that configure when Feature and Quality updates are received, see [Configure Windows Update for Business](waas-configure-wufb.md).
-
-### Specify Intranet Microsoft update service location
-
-Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
-To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
-
-If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
-If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
-
-The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
-The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.
-
->[!NOTE]
->If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
->
->If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates.
->
->The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set.
-
-To configure this policy with MDM, use [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate).
-
-### Automatic Updates detection frequency
-
-Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 to 20 hours.
-
-To set this setting with Group Policy, navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Automatic Updates detection frequency**.
-
-If the setting is set to **Enabled**, Windows will check for available updates at the specified interval.
-If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours.
-
->[!NOTE]
->The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect.
->
->If the “Configure Automatic Updates” policy is disabled, this policy has no effect.
-
-To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency).
-
-### Remove access to use all Windows Update features
-
-By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
-
-### Do not connect to any Windows Update Internet locations
-
-Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
-
-Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working.
-
->[!NOTE]
->This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
-
-### Enable client-side targeting
-
-Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or SCCM.
-
-This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**.
-If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
-If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service.
-
-If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
-
->[!NOTE]
->This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect.
-
-### Allow signed updates from an intranet Microsoft update service location
-
-This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
-
-To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
-
-If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer.
-If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
-
->[!NOTE]
->Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
-
-To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate).
-
-
-## Installing updates
-
-To add more flexibility to the update process, settings are available to control update installation.
-
-[Configure Automatic Updates](#configure-automatic-updates) offers 4 different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates.
-
-### Do not include drivers with Windows Updates
-
-Allows admins to exclude Windows Update (WU) drivers during updates.
-
-To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
-Enable this policy to not include drivers with Windows quality updates.
-If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
-
-### Configure Automatic Updates
-
-Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
-
-#### Configuring Automatic Updates by using Group Policy
-
-Under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options:
-
-**2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
-
-**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
-
-**4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation).
-
-**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates.
-
-If this setting is set to *Disabled*, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**.
-
-If this setting is set to *Not Configured*, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**.
-
-#### Configuring Automatic Updates by editing the registry
-
-> [!NOTE]
-> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk.
-
-In an environment that does not have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update.
-
-To do this, follow these steps:
-
-1. Select **Start**, search for "regedit", and then open Registry Editor.
-
-2. Open the following registry key:
-
- ```
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
- ```
-
-3. Add one of the following registry values to configure Automatic Update.
-
- * NoAutoUpdate (REG_DWORD):
-
- * **0**: Automatic Updates is enabled (default).
-
- * **1**: Automatic Updates is disabled.
-
- * AUOptions (REG_DWORD):
-
- * **1**: Keep my computer up to date is disabled in Automatic Updates.
-
- * **2**: Notify of download and installation.
-
- * **3**: Automatically download and notify of installation.
-
- * **4**: Automatically download and scheduled installation.
-
- * ScheduledInstallDay (REG_DWORD):
-
- * **0**: Every day.
-
- * **1** through **7**: The days of the week from Sunday (1) to Saturday (7).
-
- * ScheduledInstallTime (REG_DWORD):
-
- **n**, where **n** equals the time of day in a 24-hour format (0-23).
-
- * UseWUServer (REG_DWORD)
-
- Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
-
- * RescheduleWaitTime (REG_DWORD)
-
- **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
-
- > [!NOTE]
- > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
-
- * NoAutoRebootWithLoggedOnUsers (REG_DWORD):
-
- **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on.
-
- > [!NOTE]
- > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
-
-To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
-
-When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.
-
-To determine the WSUS server that the client computers and servers connect to for updates, add the following registry values to the registry:
-```
-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
-```
-
-* WUServer (REG_SZ)
-
- This value sets the WSUS server by HTTP name (for example, http://IntranetSUS).
-
-* WUStatusServer (REG_SZ)
-
- This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Manage device restarts after updates](waas-restart.md)
+---
+title: Manage additional Windows Update settings (Windows 10)
+description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: jaimeo
+ms.localizationpriority: medium
+ms.audience: itpro
+author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Manage additional Windows Update settings
+
+
+**Applies to**
+
+- Windows 10
+
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
+
+>[!IMPORTANT]
+>In Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported on this platform.
+
+## Summary of Windows Update settings
+
+| Group Policy setting | MDM setting | Supported from version |
+| --- | --- | --- |
+| [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All |
+| [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 |
+| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All |
+| [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All |
+| [Enable client-side targeting](#enable-client-side-targeting) | | All |
+| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
+| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
+| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
+
+>[!IMPORTANT]
+>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
+>
+>Additional settings that configure when Feature and Quality updates are received are detailed on **[Configure Windows Update for Business](waas-configure-wufb.md)**.
+
+## Scanning for updates
+
+With Windows 10, admins have a lot of flexibility in configuring how their devices scan and receive updates.
+
+[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them to option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
+
+You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
+
+Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
+
+For additional settings that configure when Feature and Quality updates are received, see [Configure Windows Update for Business](waas-configure-wufb.md).
+
+### Specify Intranet Microsoft update service location
+
+Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+
+To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
+
+If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
+If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+
+The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
+The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.
+
+>[!NOTE]
+>If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
+>
+>If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates.
+>
+>The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set.
+
+To configure this policy with MDM, use [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate).
+
+### Automatic Updates detection frequency
+
+Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 to 20 hours.
+
+To set this setting with Group Policy, navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Automatic Updates detection frequency**.
+
+If the setting is set to **Enabled**, Windows will check for available updates at the specified interval.
+If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours.
+
+>[!NOTE]
+>The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect.
+>
+>If the “Configure Automatic Updates” policy is disabled, this policy has no effect.
+
+To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency).
+
+### Remove access to use all Windows Update features
+
+By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
+
+### Do not connect to any Windows Update Internet locations
+
+Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
+
+Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working.
+
+>[!NOTE]
+>This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+
+### Enable client-side targeting
+
+Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or SCCM.
+
+This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**.
+If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
+If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service.
+
+If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
+
+>[!NOTE]
+>This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect.
+
+### Allow signed updates from an intranet Microsoft update service location
+
+This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+
+To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
+
+If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer.
+If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
+
+>[!NOTE]
+>Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
+
+To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate).
+
+
+## Installing updates
+
+To add more flexibility to the update process, settings are available to control update installation.
+
+[Configure Automatic Updates](#configure-automatic-updates) offers 4 different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates.
+
+### Do not include drivers with Windows Updates
+
+Allows admins to exclude Windows Update (WU) drivers during updates.
+
+To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
+Enable this policy to not include drivers with Windows quality updates.
+If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
+
+### Configure Automatic Updates
+
+Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+
+#### Configuring Automatic Updates by using Group Policy
+
+Under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options:
+
+**2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
+
+**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
+
+**4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation).
+
+**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates.
+
+If this setting is set to *Disabled*, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**.
+
+If this setting is set to *Not Configured*, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**.
+
+#### Configuring Automatic Updates by editing the registry
+
+> [!NOTE]
+> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk.
+
+In an environment that does not have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update.
+
+To do this, follow these steps:
+
+1. Select **Start**, search for "regedit", and then open Registry Editor.
+
+2. Open the following registry key:
+
+ ```
+ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
+ ```
+
+3. Add one of the following registry values to configure Automatic Update.
+
+ * NoAutoUpdate (REG_DWORD):
+
+ * **0**: Automatic Updates is enabled (default).
+
+ * **1**: Automatic Updates is disabled.
+
+ * AUOptions (REG_DWORD):
+
+ * **1**: Keep my computer up to date is disabled in Automatic Updates.
+
+ * **2**: Notify of download and installation.
+
+ * **3**: Automatically download and notify of installation.
+
+ * **4**: Automatically download and scheduled installation.
+
+ * ScheduledInstallDay (REG_DWORD):
+
+ * **0**: Every day.
+
+ * **1** through **7**: The days of the week from Sunday (1) to Saturday (7).
+
+ * ScheduledInstallTime (REG_DWORD):
+
+ **n**, where **n** equals the time of day in a 24-hour format (0-23).
+
+ * UseWUServer (REG_DWORD)
+
+ Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
+
+ * RescheduleWaitTime (REG_DWORD)
+
+ **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
+
+ > [!NOTE]
+ > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
+
+ * NoAutoRebootWithLoggedOnUsers (REG_DWORD):
+
+ **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on.
+
+ > [!NOTE]
+ > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
+
+To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
+
+When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.
+
+To determine the WSUS server that the client computers and servers connect to for updates, add the following registry values to the registry:
+```
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
+```
+
+* WUServer (REG_SZ)
+
+ This value sets the WSUS server by HTTP name (for example, http://IntranetSUS).
+
+* WUStatusServer (REG_SZ)
+
+ This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](index.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index e8912d59ed..d45100b41b 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,149 +1,148 @@
----
-title: Walkthrough use Group Policy to configure Windows Update for Business - Windows 10
-description: Configure Windows Update for Business settings using Group Policy.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Walkthrough: use Group Policy to configure Windows Update for Business
-
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-
-## Overview
-
-You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See
-
-An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**.
-
-To manage updates with Windows Update for Business as described in this topic, you should prepare with these steps, if you haven't already:
-
-- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
-- Allow access to the Windows Update service.
-- Download and install ADMX templates appropriate to your Windows 10 version. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) and [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/).
-
-
-## Set up Windows Update for Business
-
-In this example, one security group is used to manage updates. Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) for more information.
-
-Follow these steps on a device running the Remote Server Administration Tools or on a domain controller:
-
-### Set up a ring
-1. Start Group Policy Management Console (gpmc.msc).
-2. Expand **Forest > Domains > *\
+
+
+
+From this channel
+To this channel
+You need to
+
+
+Windows Insider Program
+
+
+Semi-Annual Channel
+Not directly possible
+
+
+Long-Term Servicing Channel
+Not directly possible (requires wipe-and-load).
+
+
+Semi-Annual Channel
+Insider
+Use the Settings app to enroll the device in the Windows Insider Program.
+
+
+
+
+Long-Term Servicing Channel
+Not directly possible (requires wipe-and-load).
+
+ Long-Term Servicing Channel
+Insider
+Use media to upgrade to the latest Windows Insider Program build.
+
+
+
+Semi-Annual Channel
+Use media to upgrade. Note that the Semi-Annual Channel build must be a later build.
+
-Simplified updates
+Simplified updates
Windows 10 end user readiness
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index c98b9d29d0..ead5fd7aaf 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -1,126 +1,132 @@
----
-title: Windows Update - Additional resources
-description: Additional resources for Windows Update
-ms.prod: w10
-ms.mktglfcycl:
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 09/18/2018
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Windows Update - additional resources
-
->Applies to: Windows 10
-
-The following resources provide additional information about using Windows Update.
-
-## WSUS Troubleshooting
-
-[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/)
-
-[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/)
-
-[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/)
-
-[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/)
-
-
-## How do I reset Windows Update components?
-
-[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
-
-
-[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update.
-
-
-## Reset Windows Update components manually
-1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER:
- ```
- cmd
- ```
-2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- ```
- net stop bits
- net stop wuauserv
- ```
-3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER:
- ```
- Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
- ```
-4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above.
- 1. Rename the following folders to *.BAK:
- - %systemroot%\SoftwareDistribution\DataStore
- - %systemroot%\SoftwareDistribution\Download
- - %systemroot%\system32\catroot2
-
- To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- - Ren %systemroot%\SoftwareDistribution\DataStore *.bak
- - Ren %systemroot%\SoftwareDistribution\Download *.bak
- - Ren %systemroot%\system32\catroot2 *.bak
- 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
- - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
-5. Type the following command at a command prompt, and then press ENTER:
- ```
- cd /d %windir%\system32
- ```
-6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- - regsvr32.exe atl.dll
- - regsvr32.exe urlmon.dll
- - regsvr32.exe mshtml.dll
- - regsvr32.exe shdocvw.dll
- - regsvr32.exe browseui.dll
- - regsvr32.exe jscript.dll
- - regsvr32.exe vbscript.dll
- - regsvr32.exe scrrun.dll
- - regsvr32.exe msxml.dll
- - regsvr32.exe msxml3.dll
- - regsvr32.exe msxml6.dll
- - regsvr32.exe actxprxy.dll
- - regsvr32.exe softpub.dll
- - regsvr32.exe wintrust.dll
- - regsvr32.exe dssenh.dll
- - regsvr32.exe rsaenh.dll
- - regsvr32.exe gpkcsp.dll
- - regsvr32.exe sccbase.dll
- - regsvr32.exe slbcsp.dll
- - regsvr32.exe cryptdlg.dll
- - regsvr32.exe oleaut32.dll
- - regsvr32.exe ole32.dll
- - regsvr32.exe shell32.dll
- - regsvr32.exe initpki.dll
- - regsvr32.exe wuapi.dll
- - regsvr32.exe wuaueng.dll
- - regsvr32.exe wuaueng1.dll
- - regsvr32.exe wucltui.dll
- - regsvr32.exe wups.dll
- - regsvr32.exe wups2.dll
- - regsvr32.exe wuweb.dll
- - regsvr32.exe qmgr.dll
- - regsvr32.exe qmgrprxy.dll
- - regsvr32.exe wucltux.dll
- - regsvr32.exe muweb.dll
- - regsvr32.exe wuwebv.dll
-7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:
- ```
- netsh winsock reset
- ```
-8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER:
- ```
- proxycfg.exe -d
- ```
-9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- ```
- net start bits
-
- net start wuauserv
- ```
-10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER:
- ```
- bitsadmin.exe /reset /allusers
- ```
+---
+title: Windows Update - Additional resources
+description: Additional resources for Windows Update
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.audience: itpro
+author: greg-lindsay
+ms.date: 09/18/2018
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+# Windows Update - additional resources
+
+>Applies to: Windows 10
+
+The following resources provide additional information about using Windows Update.
+
+## WSUS Troubleshooting
+
+[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/)
+
+[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/)
+
+[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/)
+
+[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/)
+
+
+## How do I reset Windows Update components?
+
+[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
+
+
+[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update.
+
+
+## Reset Windows Update components manually
+1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER:
+ ```
+ cmd
+ ```
+2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ ```
+ net stop bits
+ net stop wuauserv
+ ```
+3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER:
+ ```
+ Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
+ ```
+4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above.
+ 1. Rename the following folders to *.BAK:
+ - %systemroot%\SoftwareDistribution\DataStore
+ - %systemroot%\SoftwareDistribution\Download
+ - %systemroot%\system32\catroot2
+
+ To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ - Ren %systemroot%\SoftwareDistribution\DataStore *.bak
+ - Ren %systemroot%\SoftwareDistribution\Download *.bak
+ - Ren %systemroot%\system32\catroot2 *.bak
+ 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
+ - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
+5. Type the following command at a command prompt, and then press ENTER:
+ ```
+ cd /d %windir%\system32
+ ```
+6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+
+ ```
+ regsvr32.exe atl.dll
+ regsvr32.exe urlmon.dll
+ regsvr32.exe mshtml.dll
+ regsvr32.exe shdocvw.dll
+ regsvr32.exe browseui.dll
+ regsvr32.exe jscript.dll
+ regsvr32.exe vbscript.dll
+ regsvr32.exe scrrun.dll
+ regsvr32.exe msxml.dll
+ regsvr32.exe msxml3.dll
+ regsvr32.exe msxml6.dll
+ regsvr32.exe actxprxy.dll
+ regsvr32.exe softpub.dll
+ regsvr32.exe wintrust.dll
+ regsvr32.exe dssenh.dll
+ regsvr32.exe rsaenh.dll
+ regsvr32.exe gpkcsp.dll
+ regsvr32.exe sccbase.dll
+ regsvr32.exe slbcsp.dll
+ regsvr32.exe cryptdlg.dll
+ regsvr32.exe oleaut32.dll
+ regsvr32.exe ole32.dll
+ regsvr32.exe shell32.dll
+ regsvr32.exe initpki.dll
+ regsvr32.exe wuapi.dll
+ regsvr32.exe wuaueng.dll
+ regsvr32.exe wuaueng1.dll
+ regsvr32.exe wucltui.dll
+ regsvr32.exe wups.dll
+ regsvr32.exe wups2.dll
+ regsvr32.exe wuweb.dll
+ regsvr32.exe qmgr.dll
+ regsvr32.exe qmgrprxy.dll
+ regsvr32.exe wucltux.dll
+ regsvr32.exe muweb.dll
+ regsvr32.exe wuwebv.dll
+ ```
+
+7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:
+ ```
+ netsh winsock reset
+ ```
+8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER:
+ ```
+ proxycfg.exe -d
+ ```
+9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ ```
+ net start bits
+
+ net start wuauserv
+ ```
+10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER:
+ ```
+ bitsadmin.exe /reset /allusers
+ ```
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index bb088093c1..1edad940a4 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -1,100 +1,173 @@
----
-title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
-description: Learn how to enforce compliance deadlines using Windows Update for Business.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 06/20/2018
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-# Enforcing compliance deadlines for updates
-
->Applies to: Windows 10
-
-Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce patch compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer revisions. We offer two compliance flows that you can choose from:
-
-- [Deadline only](#deadline-only)
-- [Deadline with user engagement](#deadline-with-user-engagement)
-
-## Deadline Only
-
-This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option.
-
-### End User Experience
-
-Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to reboot the device.
-
->[!NOTE]
->Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update).
-
-### Policy overview
-
-|Policy|Description |
-|-|-|
-|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending reboot state. It specifies a deadline, in days, to enforce compliance (such as imminent install).|
-|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled install. The user can dismiss a reminder, but not the warning.|
-
-### Suggested Configuration
-
-|Policy|Location|3 Day Compliance|5 Day Compliance|7 Day Compliance |
-|-|-|-|-|-|
-|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled
**Specify the number of days before pending restart will automatically be executed outside of active hours**: 2|State: Enabled
**Specify the number of days before pending restart will automatically be executed outside of active hours**: 3|State: Enabled
**Specify the number of days before pending restart will automatically be executed outside of active hours**: 4
-
-### Controlling notification experience for deadline
-
-|Policy| Location|Suggested Configuration |
-|-|-|-|
-|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled
**Reminder** (hours): 2
**Warning** (minutes): 60 |
-
-### Notification experience for deadline
-
-Notification users get for a quality update deadline:
-
-
-Notification users get for a feature update deadline:
-
-
-## Deadline with user engagement
-
-This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active.
-
-### End user experience
-
-Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time.
-
-### Policy overview
-
-|Policy| Description |
-|-|-|
-|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending reboot. Transition days, first starts out in Auto-Restart where the device will find an idle moment to reboot the device. After 2 days engaged restart will commence and the user will be able to choose a time|
-|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to reboot. They will have the option to confirm or dismiss the notification|
-
-### Suggested configuration
-
-|Policy| Location| 3 Day Compliance| 5 Day Compliance| 7 Day Compliance |
-|-|-|-|-|-|
-|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 3|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 4|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 5|
-
-### Controlling notification experience for engaged deadline
-
-|Policy| Location |Suggested Configuration
-|-|-|-|
-|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled
**Method**: 2- User|
-
-### Notification experience for engaged deadlines
-Notification users get for quality update engaged deadline:
-
-
-Notification users get for a quality update deadline:
-
-
-Notification users get for a feature update engaged deadline:
-
-
-Notification users get for a feature update deadline:
-
+---
+title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
+description: Learn how to enforce compliance deadlines using Windows Update for Business.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+# Enforcing compliance deadlines for updates
+
+>Applies to: Windows 10
+
+Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
+
+The compliance options have changed with the release of Windows 10, version 1903:
+
+- [Starting with Windows 10, version 1903](#starting-with-windows-10-version-1903)
+- [Prior to Windows 10, version 1903](#prior-to-windows-10-version-1903)
+
+
+## Starting with Windows 10, version 1903
+
+With a current version of Windows 10, it's best to use the new policy introduced in Windows 10, version 1903: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
+
+- Update/ConfigureDeadlineForFeatureUpdates
+- Update/ConfigureDeadlineForQualityUpdates
+- Update/ConfigureDeadlineGracePeriod
+- Update/ConfigureDeadlineNoAutoReboot
+
+This policy starts the countdown for the update installation deadline from when the update is published, instead of starting with the "restart pending" state as the older policies did.
+
+The policy also includes a configurable grace period to allow, for example, users who have been away to have extra time before being forced to restart their devices.
+
+Further, the policy includes the option to opt out of automatic restarts until the deadline is reached by presenting the "engaged restart experience" until the deadline has actually expired. At this point the device will automatically schedule a restart regardless of active hours.
+
+
+
+### Policy setting overview
+
+|Policy|Description |
+|-|-|
+| (starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. |
+
+
+
+### Suggested configurations
+
+|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
+|-|-|-|-|-|
+|(starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 |
+
+When **Specify deadlines for automatic updates and restarts** is set (starting in Windows 10, version 1903):
+
+**While restart is pending, before the deadline occurs:**
+- For the first few days, the user receives a toast notification
+- After this period, the user receives this dialog:
+
+
+- If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
+
+
+
+**If the restart is still pending after the deadline passes:**
+- Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
+
+
+- Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:
+
+
+
+
+
+
+## Prior to Windows 10, version 1903
+
+
+Two compliance flows are available:
+
+- [Deadline only](#deadline-only)
+- [Deadline with user engagement](#deadline-with-user-engagement)
+
+### Deadline only
+
+This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option.
+
+#### End-user experience
+
+Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to restart the device.
+
+>[!NOTE]
+>Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update).
+
+#### Policy overview
+
+|Policy|Description |
+|-|-|
+|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending restart state. It specifies a deadline, in days, to enforce compliance (such as imminent installation).|
+|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled installation. The user can dismiss a reminder, but not the warning.|
+
+
+
+
+#### Suggested configuration
+
+|Policy|Location|3-day compliance|5-day compliance|7-day compliance|
+|-|-|-|-|-|
+|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled
**Specify the number of days before pending restart will automatically be executed outside of active hours:** 2| State: Enabled
**Specify the number of days before pending restart will automatically be executed outside of active hours:** 3 | State: Enabled
**Specify the number of days before pending restart will automatically be executed outside of active hours:** 4|
+
+#### Controlling notification experience for deadline
+
+|Policy| Location|Suggested Configuration |
+|-|-|-|
+|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled
**Reminder** (hours): 2
**Warning** (minutes): 60 |
+
+#### Notification experience for deadline
+
+Notification users get for a quality update deadline:
+
+
+Notification users get for a feature update deadline:
+
+
+### Deadline with user engagement
+
+This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active.
+
+#### End-user experience
+
+Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time.
+
+#### Policy overview
+
+|Policy| Description |
+|-|-|
+|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending restart. Transition days, first starts out in Auto-Restart where the device will find an idle moment to restart the device. After 2 days engaged restart will commence and the user will be able to choose a time|
+|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to restart. They will have the option to confirm or dismiss the notification|
+
+#### Suggested configuration
+
+|Policy| Location| 3-day compliance| 5-day compliance| 7-day compliance |
+|-|-|-|-|-|
+|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 3|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 4|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 5|
+
+#### Controlling notification experience for engaged deadline
+
+|Policy| Location |Suggested Configuration
+|-|-|-|
+|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled
**Method**: 2- User|
+
+#### Notification experience for engaged deadlines
+
+Notification users get for quality update engaged deadline:
+
+
+
+Notification users get for a quality update deadline:
+
+
+
+Notification users get for a feature update engaged deadline:
+
+
+
+Notification users get for a feature update deadline:
+
+
+
+
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 0216aec2c1..0214e53ad8 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -166,6 +166,6 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index 305917b360..01850db7f6 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -234,6 +234,6 @@ If you downloaded the SetupDiag.exe program to your computer, then copied it to
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index 34e22a7ab7..15c4156866 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -504,7 +504,7 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
@@ -524,14 +524,14 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
0xC1900200
Setup.exe has detected that the machine does not meet the minimum system requirements.
-Ensure the system you are trying to upgrade meets the minimum system requirements.
+
See Windows 10 specifications for information.Ensure the system you are trying to upgrade meets the minimum system requirements.
See Windows 10 specifications for information.
0x80190001
An unexpected error was encountered while attempting to download files required for upgrade.
-To resolve this issue, download and run the media creation tool. See Download windows 10.
+ To resolve this issue, download and run the media creation tool. See Download windows 10.
0x80246007
The update was not downloaded successfully.
Attempt other methods of upgrading the operating system.
@@ -640,7 +640,7 @@ Download and run the media creation tool. See Windows 10 Specifications and verify the computer meets minimum requirements.
+
-Download and run the media creation tool. See Download windows 10.
+Download and run the media creation tool. See Download windows 10.
Attempt to upgrade using .ISO or USB.
Note: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the Volume Licensing Service Center.
See Windows 10 Specifications and verify the computer meets minimum requirements.
Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).0x80070004 - 0x3000D
@@ -766,6 +766,6 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index af24d3c075..3a7f854132 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -58,7 +58,7 @@ See the following topics in this article:
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index c9dc96d32e..0a503b2010 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -1,524 +1,540 @@
----
-title: SetupDiag
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: How to use the SetupDiag tool to diagnose Windows Setup errors
-keywords: deploy, troubleshoot, windows, 10, upgrade, update, setup, diagnose
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# SetupDiag
-
-**Applies to**
-- Windows 10
-
->[!NOTE]
->This is a 300 level topic (moderate advanced).
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
-
- [](https://go.microsoft.com/fwlink/?linkid=870142)
-
-## About SetupDiag
-
-Current version of SetupDiag: 1.5.0.0
-
-SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
-
-SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
-
-To quickly use SetupDiag on your current computer:
-1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137).
-2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
-3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**.
-4. When SetupDiag has finished downloading, open the folder where you downloaded the file. As mentioned above, by default this is your **Downloads** folder which is displayed in File Explorer under **Quick access** in the left navigation pane.
-5. Double-click the **SetupDiag** file to run it. Click **Yes** if you are asked to approve running the program.
- - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You will need to change directories to the location of SetupDiag to run it this way.
-6. A command window will open while SetupDiag diagnoses your computer. Wait for this to finish.
-7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file.
-8. Use Notepad to open the log file: **SetupDiagResults.log**.
-9. Review the information that is displayed. If a rule was matched this can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below.
-
-For instructions on how to run the tool in offline mode and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below.
-
-The [Release notes](#release-notes) section at the bottom of this topic has information about recent updates to this tool.
-
-## Requirements
-
-1. The destination OS must be Windows 10.
-2. [.NET Framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137) must be installed. If you are not sure what version of .NET is currently installed, see [How to: Determine Which .NET Framework Versions Are Installed](https://docs.microsoft.com/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed). You can also use the following command-line query to display the installed v4 versions:
-
- ```
- reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s
- ```
-
-## Parameters
-
-| Parameter | Description |
-| --- | --- |
-| /? |
|
-| /Output:\
|
-| /LogsPath:\
|
-| /ZipLogs:\
|
-| /Format:\
|
-| /Scenario:\[Recovery\] |
|
-| /Verbose |
|
-| /NoTel |
|
-| /AddReg |
|
-
-Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag.
-- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed.
-
-### Examples:
-
-In the following example, SetupDiag is run with default parameters (online mode, results file is SetupDiagResults.log in the same folder where SetupDiag is run).
-
-```
-SetupDiag.exe
-```
-
-In the following example, SetupDiag is run in online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified.
-
-```
-SetupDiag.exe /Output:C:\SetupDiag\Results.log
-```
-
-The following example uses the /Output parameter to save results to a path name that contains a space:
-
-```
-SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log"
-```
-
-The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**.
-
-```
-SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1
-```
-
-The following example sets recovery scenario in offline mode. In the example, SetupDiag will search for reset/recovery logs in the specified LogsPath location and output the resuts to the directory specified by the /Output parameter.
-
-```
-SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery
-```
-
-The following example sets recovery scenario in online mode. In the example, SetupDiag will search for reset/recovery logs on the current system and output results in XML format.
-
-```
-SetupDiag.exe /Scenario:Recovery /Format:xml
-```
-
-
-## Log files
-
-[Windows Setup Log Files and Event Logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, you should run SetupDiag against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to your offline location:
-
-\\$Windows.~bt\sources\panther
-
\\$Windows.~bt\Sources\Rollback
-
\Windows\Panther
-
\Windows\Panther\NewOS
-
-If you copy the parent folder and all sub-folders, SetupDiag will automatically search for log files in all subdirectories.
-
-## Setup bug check analysis
-
-When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. It is also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error.
-
-If crash dumps [are enabled](https://docs.microsoft.com/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup related minidumps.
-
-To debug a setup related bug check, you must:
-- Specify the **/LogsPath** parameter. You cannot debug memory dumps in online mode.
-- Gather the setup memory dump file (setupmem.dmp) from the failing system.
- - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs.
-- Install the [Windows Debugging Tools](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag.
-
-In the following example, the **setupmem.dmp** file is copied to the **D:\Dump** directory and the Windows Debugging Tools are installed prior to running SetupDiag:
-
-```
-SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump
-```
-
-## Known issues
-
-1. Some rules can take a long time to process if the log files involved are large.
-2. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause. In this case, try gathering the log files and running SetupDiag in offline mode.
-
-
-## Sample output
-
-The following is an example where SetupDiag is run in offline mode.
-
-```
-D:\SetupDiag>SetupDiag.exe /output:c:\setupdiag\result.xml /logspath:D:\Tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e /format:xml
-
-SetupDiag v1.5.0.0
-Copyright (c) Microsoft Corporation. All rights reserved.
-
-Searching for setup logs...
-Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_6.log with update date 6/12/2019 2:44:20 PM to be the correct setup log.
-Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_1.log with update date 6/12/2019 2:45:19 PM to be the correct rollback log.
-
-Gathering baseline information from setup logs...
-
-SetupDiag: processing rule: CompatScanOnly.
-...No match.
-
-...
-
-SetupDiag: processing rule: DISMImageSessionFailure.
-..
-Error: SetupDiag reports DISM provider failure.
-Last Phase: Safe OS
-Last Operation: Apply Optional Component status
-Message = Failed to get the IDismImage instance from the image session
-Function: CDISMManager::CloseImageSession
-Error: 0x800706ba
-Recommend you re-download the update source files, reboot and try the update again.
-
-SetupDiag found 1 matching issue.
-
-SetupDiag results were logged to: c:\setupdiag\results.xml
-Logs ZipFile created at: c:\setupdiag\Logs_14.zip
-
-```
-
-## Rules
-
-When searching log files, SetupDiag uses a set of rules to match known issues. These rules are contained in the rules.xml file which is extracted when SetupDiag is run. The rules.xml file might be updated as new versions of SetupDiag are made available. See [Release notes](#release-notes) for more information.
-
-Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term "down-level" refers to the first phase of the upgrade process, which runs under the starting OS.
-
-1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D
- - This rule indicates that setup.exe was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade.
-2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE
- - This is a block when the target OS does not support BitLocker, yet the host OS has BitLocker enabled.
-3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC
- - This block happens when the host OS is booted to a VHD image. Upgrade is not supported when the host OS is booted from a VHD image.
-4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280
- - This indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade is not supported in the Windows To-Go environment.
-5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90
- - This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade is not supported from this state.
-6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B
- - This block indicates that the host OS is booted to Safe Mode, where upgrade is not supported.
-7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1
- - This block is encountered when setup determines the system partition (where the boot loader files are stored) does not have enough space to be serviced with the newer boot files required during the upgrade process.
-8. CompatBlockedApplicationAutoUninstall – BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5
- - This rule indicates there is an application that needs to be uninstalled before setup can continue.
-9. CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9
- - When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies “/compat /ignore warning”. This rule indicates setup was executed in /quiet mode but there is an application dismissible block message that have prevented setup from continuing.
-10. CompatBlockedApplicationManualUninstall - 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4
- - This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This typically requires manual removal of the files associated with this application to continue.
-11. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B
- - This indicates a device driver that is loaded on the host OS is not compatible with the newer OS version and needs to be removed prior to the upgrade.
-12. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45
- - This rule indicates the host OS and the target OS language editions do not match.
-13. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8
- - This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This will block the pre-release signed build from booting if installed on the machine.
-14. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E
- - This failure indicates the system ran out of disk space during the down-level operations of upgrade.
-15. DiskSpaceFailure - 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191
- - This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade.
-16. DeviceInstallHang - 37BB1C3A-4D79-40E8-A556-FDA126D40BC6
- - This failure rule indicates the system hung or bug checked during the device installation phase of upgrade.
-17. DebugSetupMemoryDump - C7C63D8A-C5F6-4255-8031-74597773C3C6
- - This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag will debug the memory dump and provide details.
-18. DebugSetupCrash - CEEBA202-6F04-4BC3-84B8-7B99AED924B1
- - This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
-19. DebugMemoryDump - 505ED489-329A-43F5-B467-FCAAF6A1264C
- - This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
-20. BootFailureDetected - 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7
- - This rule indicates a boot failure occurred during a specific phase of the update. The rule will indicate the failure code and phase for diagnostic purposes.
-21. FindDebugInfoFromRollbackLog - 9600EB68-1120-4A87-9FE9-3A4A70ACFC37
- - This rule will determine and give details when a bug check occurs during the setup/upgrade process that resulted in a memory dump, but without the requirement of the debugger package being on the executing machine.
-22. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
- - Finds fatal advanced installer operations that cause setup failures.
-23. FindMigApplyUnitFailure - A4232E11-4043-4A37-9BF4-5901C46FD781
- - Detects a migration unit failure that caused the update to fail. This rule will output the name of the migration plug-in as well as the error code it produced for diagnostic purposes.
-24. FindMigGatherUnitFailure - D04C064B-CD77-4E64-96D6-D26F30B4EE29
- - Detects a migration gather unit failure that caused the update to fail. This rule will output the name of the gather unit/plug-in as well as the error code it produced for diagnostic purposes.
-25. CriticalSafeOSDUFailure - 73566DF2-CA26-4073-B34C-C9BC70DBF043
- - This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It will indicate the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes.
-26. UserProfileCreationFailureDuringOnlineApply - 678117CE-F6A9-40C5-BC9F-A22575C78B14
- - Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It will indicate the operation and error code associated with the failure for diagnostic purposes.
-27. WimMountFailure - BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549
- - This rule indicates the update failed to mount a wim file. It will show the name of the wim file as well as the error message and error code associated with the failure for diagnostic purposes.
-28. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E
- - Determines if the given setup was a success or not based off the logs.
-29. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC
- - Gives information about failures surfaced early in the upgrade process by setuphost.exe
-30. FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55
- - Gives failure information surfaced by SetupPlatform, later in the down-level phase.
-31. FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD
- - Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly.
-32. FindSetupPlatformFailedOperationInfo - 307A0133-F06B-4B75-AEA8-116C3B53C2D1
- - Gives last phase and error information when SetupPlatform indicates a critical failure. This rule will indicate the operation and error associated with the failure for diagnostic purposes.
-33. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48
- - Gives last operation, failure phase and error information when a rollback occurs.
-34. AdvancedInstallerGenericFailure – 4019550D-4CAA-45B0-A222-349C48E86F71
- - A rule to match AdvancedInstaller read/write failures in a generic sense. Will output the executable being called as well as the error code and exit code reported.
-35. OptionalComponentFailedToGetOCsFromPackage – D012E2A2-99D8-4A8C-BBB2-088B92083D78 (NOTE: This rule replaces the OptionalComponentInstallFailure rule present in v1.10.
- - This matches a specific Optional Component failure when attempting to enumerate components in a package. Will output the package name and error code.
-36. OptionalComponentOpenPackageFailed – 22952520-EC89-4FBD-94E0-B67DF88347F6
- - Matches a specific Optional Component failure when attempting to open an OC package. Will output the package name and error code.
-37. OptionalComponentInitCBSSessionFailed – 63340812-9252-45F3-A0F2-B2A4CA5E9317
- - Matches a specific failure where the advanced installer service or components aren’t operating or started on the system. Will output the error code.
-38. UserProfileCreationFailureDuringFinalize – C6677BA6-2E53-4A88-B528-336D15ED1A64
- - Matches a specific User Profile creation error during the finalize phase of setup. Will output the failure code.
-39. WimApplyExtractFailure – 746879E9-C9C5-488C-8D4B-0C811FF3A9A8
- - Matches a wim apply failure during wim extraction phases of setup. Will output the extension, path and error code.
-40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2
- - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code.
-41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636
- - Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code.
-42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
- - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes.
-43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9
- - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug-in name, plug-in action and error code.
-44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9
- - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code.
-45. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960
- - Detects all compat blocks from Server compliance plug-ins. Outputs the block information and remediation.
-46. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71
- - Triggers on advanced installer failures in a generic sense, outputting the application called, phase, mode, component and error code.
-47. FindMigGatherApplyFailure - A9964E6C-A2A8-45FF-B6B5-25E0BD71428E
- - Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration
-48. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78
- - Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. Outputs the package name and error code.
-49. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
- - Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code.
-50. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317
- - Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS.
-51. DISMproviderFailure - D76EF86F-B3F8-433F-9EBF-B4411F8141F4
- - Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider.
-52. SysPrepLaunchModuleFailure - 7905655C-F295-45F7-8873-81D6F9149BFD
- - Indicates a sysPrep plug-in has failed in a critical operation. Indicates the plug-in name, operation name and error code.
-53. UserProvidedDriverInjectionFailure - 2247C48A-7EE3-4037-AFAB-95B92DE1D980
- - A driver provided to setup (via command line input) has failed in some way. Outputs the driver install function and error code.
-54. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960
- - These are for server upgrades only, will output the compliance block and remediation required.
-55. PreReleaseWimMountDriverFound - 31EC76CC-27EC-4ADC-9869-66AABEDB56F0
- - Captures failures due to having an unrecognized wimmount.sys driver registered on the system.
-56. WinSetupBootFilterFailure - C073BFC8-5810-4E19-B53B-4280B79E096C
- - Detects failures in the kernel mode file operations.
-57. WimMountDriverIssue - 565B60DD-5403-4797-AE3E-BC5CB972FBAE
- - Detects failures in WimMount.sys registration on the system.
-58. DISMImageSessionFailure - 61B7886B-10CD-4C98-A299-B987CB24A11C
- - Captures failure information when DISM fails to start an image session successfully.
-59. FindEarlyDownlevelError - A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52
- - Detects failures in down-level phase before setup platform is invoked.
-60. FindSPFatalError - A4028172-1B09-48F8-AD3B-86CDD7D55852
- - Captures failure information when setup platform encounters a fatal error.
-
-
-## Release notes
-
-06/19/2019 - SetupDiag v1.5.0.0 is released with 60 rules, as a standalone tool available from the Download Center.
- - All date and time outputs are updated to localized format per user request.
- - Added setup Operation and Phase information to /verbose log.
- - Added last Setup Operation and last Setup Phase information to most rules where it make sense (see new output below).
- - Performance improvement in searching setupact.logs to determine correct log to parse.
- - Added SetupDiag version number to text report (xml and json always had it).
- - Added "no match" reports for xml and json per user request.
- - Formatted Json output for easy readability.
- - Performance improvements when searching for setup logs; this should be much faster now.
- - Added 7 new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information.
- - Diagnostic information is now output to the registry at **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**
- - The **/AddReg** command was added to toggle registry output. This setting is off by default for offline mode, and on by default for online mode. The command has no effect for online mode and enables registry output for offline mode.
- - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it’s always up to date.
- - This registry key also gets deleted when a new update instance is invoked.
- - For an example, see [Sample registry key](#sample-registry-key).
-
-05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center.
- - This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset).
-
-12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center.
- - This release includes major improvements in rule processing performance: ~3x faster rule processing performance!
- - The FindDownlevelFailure rule is up to 10x faster.
- - New rules have been added to analyze failures upgrading to Windows 10 version 1809.
- - A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure.
- - Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode.
- - Some functional and output improvements were made for several rules.
-
-07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center.
- - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed.
-
-07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center.
- - Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues.
- - New feature: Ability to output logs in JSON and XML format.
- - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic.
- - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text.
- - New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive.
- - 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed.
-
-05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center.
- - Fixed a bug in device install failure detection in online mode.
- - Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost.
- - Telemetry is refactored to only send the rule name and GUID (or “NoRuleMatched” if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing.
-
-05/02/2018 - SetupDiag v1.10 is released with 34 rules, as a standalone tool available from the Download Center.
- - A performance enhancment has been added to result in faster rule processing.
- - Rules output now includes links to support articles, if applicable.
- - SetupDiag now provides the path and name of files that it is processing.
- - You can now run SetupDiag by simply clicking on it and then examining the output log file.
- - An output log file is now always created, whether or not a rule was matched.
-
-03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center.
-
-## Sample logs
-
-### Text log sample
-
-```
-Matching Profile found: OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
-System Information:
- Machine Name = Offline
- Manufacturer = MSI
- Model = MS-7998
- HostOSArchitecture = x64
- FirmwareType = PCAT
- BiosReleaseDate = 20160727000000.000000+000
- BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70
- BiosVersion = 1.70
- HostOSVersion = 10.0.15063
- HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834
- TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534)
- HostOSLanguageId = 2057
- HostOSEdition = Core
- RegisteredAV = Windows Defender,
- FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo,
- UpgradeStartTime = 3/21/2018 9:47:16 PM
- UpgradeEndTime = 3/21/2018 10:02:40 PM
- UpgradeElapsedTime = 00:15:24
- ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde
-
-Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
-Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
-Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015
-Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
-```
-
-### XML log sample
-
-```xml
-
-
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
+ [](https://go.microsoft.com/fwlink/?linkid=870142)
+
+## About SetupDiag
+
+Current version of SetupDiag: 1.6.0.42
+>Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
+
+SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
+
+SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
+
+To quickly use SetupDiag on your current computer:
+1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137).
+2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
+3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**.
+4. When SetupDiag has finished downloading, open the folder where you downloaded the file. As mentioned above, by default this is your **Downloads** folder which is displayed in File Explorer under **Quick access** in the left navigation pane.
+5. Double-click the **SetupDiag** file to run it. Click **Yes** if you are asked to approve running the program.
+ - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You will need to change directories to the location of SetupDiag to run it this way.
+6. A command window will open while SetupDiag diagnoses your computer. Wait for this to finish.
+7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file.
+8. Use Notepad to open the log file: **SetupDiagResults.log**.
+9. Review the information that is displayed. If a rule was matched this can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below.
+
+For instructions on how to run the tool in offline mode and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below.
+
+The [Release notes](#release-notes) section at the bottom of this topic has information about recent updates to this tool.
+
+## Requirements
+
+1. The destination OS must be Windows 10.
+2. [.NET Framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137) must be installed. If you are not sure what version of .NET is currently installed, see [How to: Determine Which .NET Framework Versions Are Installed](https://docs.microsoft.com/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed). You can also use the following command-line query to display the installed v4 versions:
+
+ ```
+ reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s
+ ```
+
+## Parameters
+
+| Parameter | Description |
+| --- | --- |
+| /? |
|
+| /Output:\
|
+| /LogsPath:\
|
+| /ZipLogs:\
|
+| /Format:\
|
+| /Scenario:\[Recovery\] |
|
+| /Verbose |
|
+| /NoTel |
|
+| /AddReg |
|
+| /RegPath |
|
+
+Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag.
+- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed.
+
+### Examples:
+
+In the following example, SetupDiag is run with default parameters (online mode, results file is SetupDiagResults.log in the same folder where SetupDiag is run).
+
+```
+SetupDiag.exe
+```
+
+In the following example, SetupDiag is run in online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified.
+
+```
+SetupDiag.exe /Output:C:\SetupDiag\Results.log
+```
+
+The following example uses the /Output parameter to save results to a path name that contains a space:
+
+```
+SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log"
+```
+
+The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**.
+
+```
+SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1
+```
+
+The following example sets recovery scenario in offline mode. In the example, SetupDiag will search for reset/recovery logs in the specified LogsPath location and output the resuts to the directory specified by the /Output parameter.
+
+```
+SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery
+```
+
+The following example sets recovery scenario in online mode. In the example, SetupDiag will search for reset/recovery logs on the current system and output results in XML format.
+
+```
+SetupDiag.exe /Scenario:Recovery /Format:xml
+```
+
+
+## Log files
+
+[Windows Setup Log Files and Event Logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, you should run SetupDiag against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to your offline location:
+
+\\$Windows.~bt\sources\panther
+
\\$Windows.~bt\Sources\Rollback
+
\Windows\Panther
+
\Windows\Panther\NewOS
+
+If you copy the parent folder and all sub-folders, SetupDiag will automatically search for log files in all subdirectories.
+
+## Setup bug check analysis
+
+When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. It is also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error.
+
+If crash dumps [are enabled](https://docs.microsoft.com/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup related minidumps.
+
+To debug a setup related bug check, you must:
+- Specify the **/LogsPath** parameter. You cannot debug memory dumps in online mode.
+- Gather the setup memory dump file (setupmem.dmp) from the failing system.
+ - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs.
+- Install the [Windows Debugging Tools](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag.
+
+In the following example, the **setupmem.dmp** file is copied to the **D:\Dump** directory and the Windows Debugging Tools are installed prior to running SetupDiag:
+
+```
+SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump
+```
+
+## Known issues
+
+1. Some rules can take a long time to process if the log files involved are large.
+
+
+## Sample output
+
+The following is an example where SetupDiag is run in offline mode.
+
+```
+D:\SetupDiag>SetupDiag.exe /output:c:\setupdiag\result.xml /logspath:D:\Tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e /format:xml
+
+SetupDiag v1.6.0.0
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+Searching for setup logs...
+Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_6.log with update date 6/12/2019 2:44:20 PM to be the correct setup log.
+Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_1.log with update date 6/12/2019 2:45:19 PM to be the correct rollback log.
+
+Gathering baseline information from setup logs...
+
+SetupDiag: processing rule: CompatScanOnly.
+...No match.
+
+...
+
+SetupDiag: processing rule: DISMImageSessionFailure.
+..
+Error: SetupDiag reports DISM provider failure.
+Last Phase: Safe OS
+Last Operation: Apply Optional Component status
+Message = Failed to get the IDismImage instance from the image session
+Function: CDISMManager::CloseImageSession
+Error: 0x800706ba
+Recommend you re-download the update source files, reboot and try the update again.
+
+SetupDiag found 1 matching issue.
+
+SetupDiag results were logged to: c:\setupdiag\results.xml
+Logs ZipFile created at: c:\setupdiag\Logs_14.zip
+
+```
+
+## Rules
+
+When searching log files, SetupDiag uses a set of rules to match known issues. These rules are contained in the rules.xml file which is extracted when SetupDiag is run. The rules.xml file might be updated as new versions of SetupDiag are made available. See [Release notes](#release-notes) for more information.
+
+Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term "down-level" refers to the first phase of the upgrade process, which runs under the starting OS.
+
+1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D
+ - This rule indicates that setup.exe was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade.
+2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE
+ - This is a block when the target OS does not support BitLocker, yet the host OS has BitLocker enabled.
+3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC
+ - This block happens when the host OS is booted to a VHD image. Upgrade is not supported when the host OS is booted from a VHD image.
+4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280
+ - This indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade is not supported in the Windows To-Go environment.
+5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90
+ - This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade is not supported from this state.
+6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B
+ - This block indicates that the host OS is booted to Safe Mode, where upgrade is not supported.
+7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1
+ - This block is encountered when setup determines the system partition (where the boot loader files are stored) does not have enough space to be serviced with the newer boot files required during the upgrade process.
+8. CompatBlockedApplicationAutoUninstall – BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5
+ - This rule indicates there is an application that needs to be uninstalled before setup can continue.
+9. CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9
+ - When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies “/compat ignorewarning”. This rule indicates setup was executed in /quiet mode but there is an application dismissible block message that have prevented setup from continuing.
+10. CompatBlockedApplicationManualUninstall - 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4
+ - This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This typically requires manual removal of the files associated with this application to continue.
+11. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B
+ - This indicates a device driver that is loaded on the host OS is not compatible with the newer OS version and needs to be removed prior to the upgrade.
+12. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45
+ - This rule indicates the host OS and the target OS language editions do not match.
+13. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8
+ - This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This will block the pre-release signed build from booting if installed on the machine.
+14. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E
+ - This failure indicates the system ran out of disk space during the down-level operations of upgrade.
+15. DiskSpaceFailure - 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191
+ - This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade.
+16. DeviceInstallHang - 37BB1C3A-4D79-40E8-A556-FDA126D40BC6
+ - This failure rule indicates the system hung or bug checked during the device installation phase of upgrade.
+17. DebugSetupMemoryDump - C7C63D8A-C5F6-4255-8031-74597773C3C6
+ - This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag will debug the memory dump and provide details.
+18. DebugSetupCrash - CEEBA202-6F04-4BC3-84B8-7B99AED924B1
+ - This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
+19. DebugMemoryDump - 505ED489-329A-43F5-B467-FCAAF6A1264C
+ - This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details.
+20. BootFailureDetected - 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7
+ - This rule indicates a boot failure occurred during a specific phase of the update. The rule will indicate the failure code and phase for diagnostic purposes.
+21. FindDebugInfoFromRollbackLog - 9600EB68-1120-4A87-9FE9-3A4A70ACFC37
+ - This rule will determine and give details when a bug check occurs during the setup/upgrade process that resulted in a memory dump, but without the requirement of the debugger package being on the executing machine.
+22. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
+ - Finds fatal advanced installer operations that cause setup failures.
+23. FindMigApplyUnitFailure - A4232E11-4043-4A37-9BF4-5901C46FD781
+ - Detects a migration unit failure that caused the update to fail. This rule will output the name of the migration plug-in as well as the error code it produced for diagnostic purposes.
+24. FindMigGatherUnitFailure - D04C064B-CD77-4E64-96D6-D26F30B4EE29
+ - Detects a migration gather unit failure that caused the update to fail. This rule will output the name of the gather unit/plug-in as well as the error code it produced for diagnostic purposes.
+25. CriticalSafeOSDUFailure - 73566DF2-CA26-4073-B34C-C9BC70DBF043
+ - This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It will indicate the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes.
+26. UserProfileCreationFailureDuringOnlineApply - 678117CE-F6A9-40C5-BC9F-A22575C78B14
+ - Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It will indicate the operation and error code associated with the failure for diagnostic purposes.
+27. WimMountFailure - BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549
+ - This rule indicates the update failed to mount a wim file. It will show the name of the wim file as well as the error message and error code associated with the failure for diagnostic purposes.
+28. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E
+ - Determines if the given setup was a success or not based off the logs.
+29. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC
+ - Gives information about failures surfaced early in the upgrade process by setuphost.exe
+30. FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55
+ - Gives failure information surfaced by SetupPlatform, later in the down-level phase.
+31. FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD
+ - Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly.
+32. FindSetupPlatformFailedOperationInfo - 307A0133-F06B-4B75-AEA8-116C3B53C2D1
+ - Gives last phase and error information when SetupPlatform indicates a critical failure. This rule will indicate the operation and error associated with the failure for diagnostic purposes.
+33. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48
+ - Gives last operation, failure phase and error information when a rollback occurs.
+34. AdvancedInstallerGenericFailure – 4019550D-4CAA-45B0-A222-349C48E86F71
+ - A rule to match AdvancedInstaller read/write failures in a generic sense. Will output the executable being called as well as the error code and exit code reported.
+35. OptionalComponentFailedToGetOCsFromPackage – D012E2A2-99D8-4A8C-BBB2-088B92083D78 (NOTE: This rule replaces the OptionalComponentInstallFailure rule present in v1.10.
+ - This matches a specific Optional Component failure when attempting to enumerate components in a package. Will output the package name and error code.
+36. OptionalComponentOpenPackageFailed – 22952520-EC89-4FBD-94E0-B67DF88347F6
+ - Matches a specific Optional Component failure when attempting to open an OC package. Will output the package name and error code.
+37. OptionalComponentInitCBSSessionFailed – 63340812-9252-45F3-A0F2-B2A4CA5E9317
+ - Matches a specific failure where the advanced installer service or components aren’t operating or started on the system. Will output the error code.
+38. UserProfileCreationFailureDuringFinalize – C6677BA6-2E53-4A88-B528-336D15ED1A64
+ - Matches a specific User Profile creation error during the finalize phase of setup. Will output the failure code.
+39. WimApplyExtractFailure – 746879E9-C9C5-488C-8D4B-0C811FF3A9A8
+ - Matches a wim apply failure during wim extraction phases of setup. Will output the extension, path and error code.
+40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2
+ - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code.
+41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636
+ - Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code.
+42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
+ - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes.
+43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9
+ - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug-in name, plug-in action and error code.
+44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9
+ - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code.
+45. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960
+ - Detects all compat blocks from Server compliance plug-ins. Outputs the block information and remediation.
+46. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71
+ - Triggers on advanced installer failures in a generic sense, outputting the application called, phase, mode, component and error code.
+47. FindMigGatherApplyFailure - A9964E6C-A2A8-45FF-B6B5-25E0BD71428E
+ - Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration
+48. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78
+ - Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. Outputs the package name and error code.
+49. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
+ - Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code.
+50. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317
+ - Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS.
+51. DISMproviderFailure - D76EF86F-B3F8-433F-9EBF-B4411F8141F4
+ - Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider.
+52. SysPrepLaunchModuleFailure - 7905655C-F295-45F7-8873-81D6F9149BFD
+ - Indicates a sysPrep plug-in has failed in a critical operation. Indicates the plug-in name, operation name and error code.
+53. UserProvidedDriverInjectionFailure - 2247C48A-7EE3-4037-AFAB-95B92DE1D980
+ - A driver provided to setup (via command line input) has failed in some way. Outputs the driver install function and error code.
+54. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960
+ - These are for server upgrades only, will output the compliance block and remediation required.
+55. PreReleaseWimMountDriverFound - 31EC76CC-27EC-4ADC-9869-66AABEDB56F0
+ - Captures failures due to having an unrecognized wimmount.sys driver registered on the system.
+56. WinSetupBootFilterFailure - C073BFC8-5810-4E19-B53B-4280B79E096C
+ - Detects failures in the kernel mode file operations.
+57. WimMountDriverIssue - 565B60DD-5403-4797-AE3E-BC5CB972FBAE
+ - Detects failures in WimMount.sys registration on the system.
+58. DISMImageSessionFailure - 61B7886B-10CD-4C98-A299-B987CB24A11C
+ - Captures failure information when DISM fails to start an image session successfully.
+59. FindEarlyDownlevelError - A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52
+ - Detects failures in down-level phase before setup platform is invoked.
+60. FindSPFatalError - A4028172-1B09-48F8-AD3B-86CDD7D55852
+ - Captures failure information when setup platform encounters a fatal error.
+
+
+## Release notes
+
+08/08/2019 - SetupDiag v1.6.0.42 is released with 60 rules, as a standalone tool available from the Download Center.
+ - Log detection performance is improved. What used to take up to a minute should take around 10 seconds or less.
+ - Added Setup Operation and Setup Phase information to both the results log and the registry information.
+ - This is the last Operation and Phase that Setup was in when the failure occurred.
+ - Added detailed Setup Operation and Setup Phase information (and timing) to output log when /verbose is specified.
+ - Note, if the issue found is a compat block, no Setup Operation or Phase info exists yet and therefore won’t be available.
+ - Added more info to the Registry output.
+ - Detailed ‘FailureData’ info where available. Example: “AppName = MyBlockedApplication” or “DiskSpace = 6603” (in MB)
+ - “Key = Value” data specific to the failure found.
+ - Added ‘UpgradeStartTime’, ‘UpgradeEndTime’ and ‘UpgradeElapsedTime’
+ - Added ‘SetupDiagVersion’, ‘DateTime’ (to indicate when SetupDiag was executed on the system), ‘TargetOSVersion’, ‘HostOSVersion’ and more…
+
+
+06/19/2019 - SetupDiag v1.5.0.0 is released with 60 rules, as a standalone tool available from the Download Center.
+- All date and time outputs are updated to localized format per user request.
+- Added setup Operation and Phase information to /verbose log.
+- Added last Setup Operation and last Setup Phase information to most rules where it make sense (see new output below).
+- Performance improvement in searching setupact.logs to determine correct log to parse.
+- Added SetupDiag version number to text report (xml and json always had it).
+- Added "no match" reports for xml and json per user request.
+- Formatted Json output for easy readability.
+- Performance improvements when searching for setup logs; this should be much faster now.
+- Added 7 new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information.
+- Diagnostic information is now output to the registry at **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**
+ - The **/AddReg** command was added to toggle registry output. This setting is off by default for offline mode, and on by default for online mode. The command has no effect for online mode and enables registry output for offline mode.
+ - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it’s always up to date.
+ - This registry key also gets deleted when a new update instance is invoked.
+ - For an example, see [Sample registry key](#sample-registry-key).
+
+05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center.
+- This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset).
+
+12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center.
+- This release includes major improvements in rule processing performance: ~3x faster rule processing performance!
+ - The FindDownlevelFailure rule is up to 10x faster.
+- New rules have been added to analyze failures upgrading to Windows 10 version 1809.
+- A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure.
+- Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode.
+- Some functional and output improvements were made for several rules.
+
+07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center.
+- This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed.
+
+07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center.
+- Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues.
+- New feature: Ability to output logs in JSON and XML format.
+ - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic.
+ - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text.
+- New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive.
+- 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed.
+
+05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center.
+- Fixed a bug in device install failure detection in online mode.
+- Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost.
+- Telemetry is refactored to only send the rule name and GUID (or “NoRuleMatched” if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing.
+
+05/02/2018 - SetupDiag v1.10 is released with 34 rules, as a standalone tool available from the Download Center.
+- A performance enhancment has been added to result in faster rule processing.
+- Rules output now includes links to support articles, if applicable.
+- SetupDiag now provides the path and name of files that it is processing.
+- You can now run SetupDiag by simply clicking on it and then examining the output log file.
+- An output log file is now always created, whether or not a rule was matched.
+
+03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center.
+
+## Sample logs
+
+### Text log sample
+
+```
+Matching Profile found: OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
+System Information:
+ Machine Name = Offline
+ Manufacturer = MSI
+ Model = MS-7998
+ HostOSArchitecture = x64
+ FirmwareType = PCAT
+ BiosReleaseDate = 20160727000000.000000+000
+ BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70
+ BiosVersion = 1.70
+ HostOSVersion = 10.0.15063
+ HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834
+ TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534)
+ HostOSLanguageId = 2057
+ HostOSEdition = Core
+ RegisteredAV = Windows Defender,
+ FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo,
+ UpgradeStartTime = 3/21/2018 9:47:16 PM
+ UpgradeEndTime = 3/21/2018 10:02:40 PM
+ UpgradeElapsedTime = 00:15:24
+ ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde
+
+Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
+Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
+Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015
+Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
+```
+
+### XML log sample
+
+```xml
+
+
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index f06c6fb87b..0dd0d042c6 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -154,6 +154,6 @@ For example: An extend code of **0x4000D**, represents a problem during phase 4
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 93d1f63cc0..c6c73aa23e 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -5,7 +5,8 @@ manager: laurawi
ms.author: greglin
description: Explains additional features of Upgrade Readiness.
ms.prod: w10
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.topic: article
ms.collection: M365-analytics
---
@@ -14,44 +15,9 @@ ms.collection: M365-analytics
This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include:
-- [Spectre and Meltdown protections](#spectre-and-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities.
- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer.
- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers.
-## Spectre and Meltdown protection status
-Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take.
-
-Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities:
-- Verify that you are running a supported antivirus application.
-- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates.
-- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s).
-
-Upgrade Readiness reports on status of your devices in these three areas.
-
-
-
->[!IMPORTANT]
->To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.)
-
-### Anti-virus status blade
-This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices.
-
-
-
-### Security update status blade
-This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled.
-
-
-
->[!IMPORTANT]
->If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint.
-
-### Firmware update status blade
-This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part.
-
-
-
-
## Site discovery
The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index 1eef483854..8ad77cca4e 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -1,190 +1,191 @@
----
-title: Upgrade Readiness deployment script (Windows 10)
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: Deployment script for Upgrade Readiness.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.topic: article
-ms.collection: M365-analytics
----
-
-# Upgrade Readiness deployment script
-
-To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
-
->[!IMPORTANT]
->Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
-
->[!IMPORTANT]
->The latest version of the Upgrade Readiness Script is **2.4.4 - 10.10.2018**
-
-For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/New-version-of-the-Upgrade-Analytics-Deployment-Script-available/ba-p/187164?advanced=false&collapse_discussion=true&q=new%20version%20of%20the%20upgrade%20analytics%20deployment%20script%20available&search_type=thread).
-
-> The following guidance applies to version **2.4.4 - 10.10.2018** of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
-
-The Upgrade Readiness deployment script does the following:
-
-1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
-2. Verifies that user computers can send data to Microsoft.
-3. Checks whether the computer has a pending restart.
-4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
-5. If enabled, turns on verbose mode for troubleshooting.
-6. Initiates the collection of the diagnostic data that Microsoft needs to assess your organization’s upgrade readiness.
-7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
-
-## Running the script
-
->There should be no performance impact caused by the script. The script is a light wrapper of Windows in-box components that undergo performance testing and optimization to avoid any performance impact. However, typically the script is scheduled to be run outside of working hours.
->
->Do not run the script at each sign-on. It is recommended to run the script once every 30 days.
->
->The length of time the script takes to run on each system depends on the number of apps and drivers, and the type of hardware. Anti-virus software scanning simultaneously can increase the script run time, but the script should require no longer than 10 minutes to run, and typically the time is much shorter. If the script is observed running for an extended period of time, please run the Pilot script, and collect logs to share with Microsoft. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
-
-To run the Upgrade Readiness deployment script:
-
-1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
-
-2. Edit the following parameters in RunConfig.bat:
-
- 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
-
- 2. Input your commercial ID key. To find your commercial ID, first navigate to the **Solutions** tab for your workspace, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID:
-
- 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
-
- > *logMode = 0 log to console only*
- >
- > *logMode = 1 log to file and console*
- >
- > *logMode = 2 log to file only*
-
-3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
-
- > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
- >
- > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
- >
- > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
- >
- > *IEOptInLevel = 3 Data collection is enabled for all sites*
-
-4. The deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
-
- The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
-
- This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
-
- \*vortex\*.data.microsoft.com
- \*settings\*.data.microsoft.com
-
-5. The deployment script configures insider builds to continue to send the device name to the diagnostic data management service and the analytics portal. If you do not want to have insider builds send the device name sent to analytics and be available in the analytics portal, set **DeviceNAmeOptIn = false**. By default it is true, which preserves the behavior on previous versions of Windows. This setting only applies to insider builds. Note that the device name is also sent to AppInsights, so to ensure the device name is not sent to either place you would need to also set **AppInsightsOptIn = false**.
-
-6. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
-
-## Exit codes
-
-The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
-
-| Exit code | Suggested fix |
-|-----------|--------------|
-| 0 - Success | N/A |
-| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. |
-| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file. |
-| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
-| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
-| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
-| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. |
-| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
-| 9 - The script failed to write Commercial Id to registry.
-Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
-| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. |
-| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. |
-| 12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) |
-| 13 - Can’t connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. |
-| 14 - Can’t connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). |
-| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. |
-| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. |
-| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. |
-|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. |
-| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. |
-| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. |
-| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. |
-| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. |
-| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. |
-| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. |
-| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. |
-| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. |
-| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). |
-| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). |
-| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. |
-| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. |
-| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. |
-| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. |
-| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
-| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. |
-| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
-| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. |
-| 45 - Diagtrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. |
-| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercial ID from your workspace. To find your commercial ID, first navigate to the Solutions tab for your workspace in Azure Portal, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID.|
-| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. |
-| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. The most common cause is incorrect setup of diagnostic data. Check the ExceptionHResult and ExceptionMessage for more details. |
-| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. |
-| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. |
-| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). |
-| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. |
-| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.|
-| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. |
-| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. |
-| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. |
-| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. |
-| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. |
-| 62 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is a REG_DWORD. |
-| 63 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. |
-| 64 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is a REG_DWORD. |
-| 65 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**. |
-| 66 - All recent data uploads for the Universal Telemetry Client failed. | Review the UtcConnectionReport in WMI in the namespace **root\cimv2\mdm\dmmap** under the **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** class. Only SYSTEM has access to this class. Use [PSExec](https://docs.microsoft.com/sysinternals/downloads/psexec) to execute your WMI utility as SYSTEM. |
-| 67 - CheckUtcCsp failed with an exception | There was an error reading the WIM/CIM class **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** in the namespace **root\cimv2\mdm\dmmap**. Review system for WMI errors. |
-
-
-
-
-
-
-> [!NOTE]
-> **Additional steps to follow if you receive exit code 33**
->
-> Check the exit code for any of these messages:
->
-> - CompatTelRunner.exe exited with last error code: 0x800703F1
-> - CompatTelRunner.exe exited with last error code: 0x80070005
-> - CompatTelRunner.exe exited with last error code: 0x80080005
->
->
-> If the exit code includes any of those messages, then run these commands from an elevated command prompt:
->
-> 1. Net stop diagtrack
-> 2. Net stop pcasvc
-> 3. Net stop dps
-> 4. Del %windir%\appcompat\programs\amcache.hve
-> 5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f
-> 6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f
-> 7. Net start diagtrack
-> 8. Net start pcasvc
-> 9. Net start dps
->
-> Then run the Enterprise Config script (RunConfig.bat) again.
->
-> If the script still fails, then send mail to uasupport@microsoft.com including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\
+ \*settings\*.data.microsoft.com
+
+5. The deployment script configures insider builds to continue to send the device name to the diagnostic data management service and the analytics portal. If you do not want to have insider builds send the device name sent to analytics and be available in the analytics portal, set **DeviceNAmeOptIn = false**. By default it is true, which preserves the behavior on previous versions of Windows. This setting only applies to insider builds. Note that the device name is also sent to AppInsights, so to ensure the device name is not sent to either place you would need to also set **AppInsightsOptIn = false**.
+
+6. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+
+## Exit codes
+
+The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
+
+| Exit code | Suggested fix |
+|-----------|--------------|
+| 0 - Success | N/A |
+| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. |
+| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file. |
+| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
+| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
+| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. |
+| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. |
+| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
+| 9 - The script failed to write Commercial Id to registry.
+Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. |
+| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. |
+| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. |
+| 12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) |
+| 13 - Can’t connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. |
+| 14 - Can’t connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). |
+| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. |
+| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. |
+| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. |
+|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. |
+| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. |
+| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. |
+| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. |
+| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. |
+| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. |
+| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. |
+| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. |
+| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. |
+| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). |
+| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). |
+| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. |
+| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. |
+| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. |
+| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. |
+| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
+| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. |
+| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. |
+| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. |
+| 45 - Diagtrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. |
+| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercial ID from your workspace. To find your commercial ID, first navigate to the Solutions tab for your workspace in Azure Portal, and then select the solution. From there, select the **Settings** page, where you can find and copy your commercial ID.|
+| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. |
+| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. The most common cause is incorrect setup of diagnostic data. Check the ExceptionHResult and ExceptionMessage for more details. |
+| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. |
+| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. |
+| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). |
+| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. |
+| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.|
+| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. |
+| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. |
+| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. |
+| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. |
+| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. |
+| 62 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is a REG_DWORD. |
+| 63 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. |
+| 64 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is a REG_DWORD. |
+| 65 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**. |
+| 66 - All recent data uploads for the Universal Telemetry Client failed. | Review the UtcConnectionReport in WMI in the namespace **root\cimv2\mdm\dmmap** under the **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** class. Only SYSTEM has access to this class. Use [PSExec](https://docs.microsoft.com/sysinternals/downloads/psexec) to execute your WMI utility as SYSTEM. |
+| 67 - CheckUtcCsp failed with an exception | There was an error reading the WIM/CIM class **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** in the namespace **root\cimv2\mdm\dmmap**. Review system for WMI errors. |
+
+
+
+
+
+
+> [!NOTE]
+> **Additional steps to follow if you receive exit code 33**
+>
+> Check the exit code for any of these messages:
+>
+> - CompatTelRunner.exe exited with last error code: 0x800703F1
+> - CompatTelRunner.exe exited with last error code: 0x80070005
+> - CompatTelRunner.exe exited with last error code: 0x80080005
+>
+>
+> If the exit code includes any of those messages, then run these commands from an elevated command prompt:
+>
+> 1. Net stop diagtrack
+> 2. Net stop pcasvc
+> 3. Net stop dps
+> 4. Del %windir%\appcompat\programs\amcache.hve
+> 5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f
+> 6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f
+> 7. Net start diagtrack
+> 8. Net start pcasvc
+> 9. Net start dps
+>
+> Then run the Enterprise Config script (RunConfig.bat) again.
+>
+> If the script still fails, then contact support@microsoft.com and share the log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\
-D = Edition downgrade; personal data is maintained, applications and settings are removed.
-
-
-
-
-
-
-## Related Topics
-
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-
-
-
- Windows 10 Home
- Windows 10 Pro
- Windows 10 Pro Education
- Windows 10 Education
- Windows 10 Enterprise
- Windows 10 Mobile
- Windows 10 Mobile Enterprise
-
-
- Windows 7
-
-
- Starter
- ✔
- ✔
- ✔
- ✔
-
-
-
-
-
- Home Basic
- ✔
- ✔
- ✔
- ✔
-
-
-
-
-
- Home Premium
- ✔
- ✔
- ✔
- ✔
-
-
-
-
-
- Professional
- D
- ✔
- ✔
- ✔
- ✔
-
-
-
-
- Ultimate
- D
- ✔
- ✔
- ✔
- ✔
-
-
-
-
- Enterprise
-
-
-
- ✔
- ✔
-
-
-
-
- Windows 8.1
-
-
- (Core)
- ✔
- ✔
- ✔
- ✔
-
-
-
-
-
- Connected
- ✔
- ✔
- ✔
- ✔
-
-
-
-
-
- Pro
- D
- ✔
- ✔
- ✔
- ✔
-
-
-
-
- Pro Student
- D
- ✔
- ✔
- ✔
- ✔
-
-
-
-
- Pro WMC
- D
- ✔
- ✔
- ✔
- ✔
-
-
-
-
- Enterprise
-
-
-
- ✔
- ✔
-
-
-
-
- Embedded Industry
-
-
-
-
- ✔
-
-
-
-
- Windows RT
-
-
-
-
-
-
-
-
-
- Windows Phone 8.1
-
-
-
-
-
-
- ✔
-
-
- Windows 10
-
-
- Home
-
- ✔
- ✔
- ✔
-
-
-
-
-
- Pro
- D
-
- ✔
- ✔
- ✔
-
-
-
-
- Education
-
-
-
-
- D
-
-
-
-
- Enterprise
-
-
-
- ✔
-
-
-
-
-
- Mobile
-
-
-
-
-
-
- ✔
-
-
-Mobile Enterprise
-
-
-
-
-
- D
-
-
-[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
-
-
-
-
-
+---
+title: Windows 10 upgrade paths (Windows 10)
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.pagetype: mobile
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 upgrade paths
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+## Upgrade paths
+
+This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
+
+> **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
+>
+> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+>
+> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
+>
+> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+>
+> **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
+
+✔ = Full upgrade is supported including personal data, settings, and applications.
+D = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+
+
+
+
+
+## Related Topics
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+
+
+
+ Windows 10 Home
+ Windows 10 Pro
+ Windows 10 Pro Education
+ Windows 10 Education
+ Windows 10 Enterprise
+ Windows 10 Mobile
+ Windows 10 Mobile Enterprise
+
+
+ Windows 7
+
+
+ Starter
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+
+ Home Basic
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+
+ Home Premium
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+
+ Professional
+ D
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+ Ultimate
+ D
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+ Enterprise
+
+
+
+ ✔
+ ✔
+
+
+
+
+ Windows 8.1
+
+
+ (Core)
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+
+ Connected
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+
+ Pro
+ D
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+ Pro Student
+ D
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+ Pro WMC
+ D
+ ✔
+ ✔
+ ✔
+ ✔
+
+
+
+
+ Enterprise
+
+
+
+ ✔
+ ✔
+
+
+
+
+ Embedded Industry
+
+
+
+
+ ✔
+
+
+
+
+ Windows RT
+
+
+
+
+
+
+
+
+
+ Windows Phone 8.1
+
+
+
+
+
+
+ ✔
+
+
+ Windows 10
+
+
+ Home
+
+ ✔
+ ✔
+ ✔
+
+
+
+
+
+ Pro
+ D
+
+ ✔
+ ✔
+ ✔
+
+
+
+
+ Education
+
+
+
+
+ D
+
+
+
+
+ Enterprise
+
+
+
+ ✔
+
+
+
+
+
+ Mobile
+
+
+
+
+
+
+ ✔
+
+
+Mobile Enterprise
+
+
+
+
+
+ D
+
+
+[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+
+
+
+
+
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index f0f918ef4a..77f1ae38b0 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -68,6 +68,6 @@ The event will also contain links to log files that can be used to perform a det
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 8e45d24439..2eab7ea7b8 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -1,268 +1,269 @@
----
-title: Offline Migration Reference (Windows 10)
-description: Offline Migration Reference
-ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Offline Migration Reference
-
-
-Offline migration enables the ScanState tool to run inside a different Windows® operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios:
-
-- **Windows PE.** The ScanState tool can be run from within Windows PE, gathering files and settings from the offline Windows operating system on that machine.
-
-- **Windows.old.** The ScanState tool can now gather files and settings from the Windows.old directory that is created during Windows installation on a partition that contains a previous installation of Windows. For example, the ScanState tool can run in Windows 10, gathering files from a previous Windows 7or Windows 8 installation contained in the Windows.old directory.
-
-When you use User State Migration Tool (USMT) 10.0 to gather and restore user state, offline migration reduces the cost of deployment by:
-
-- **Reducing complexity.** In computer-refresh scenarios, migrations from the Windows.old directory reduce complexity by eliminating the need for the ScanState tool to be run before the operating system is deployed. Also, migrations from the Windows.old directory enable ScanState and LoadState to be run successively.
-
-- **Improving performance.** When USMT runs in an offline Windows Preinstallation Environment (WinPE) environment, it has better access to the hardware resources. This may increase performance on older machines with limited hardware resources and numerous installed software applications.
-
-- **New recovery scenario.** In scenarios where a machine no longer restarts properly, it might be possible to gather user state with the ScanState tool from within WinPE.
-
-## In This Topic
-
-
-- [What Will Migrate Offline?](#bkmk-whatwillmigrate)
-
-- [What Offline Environments are Supported?](#bkmk-offlineenvironments)
-
-- [User-Group Membership and Profile Control](#bkmk-usergroupmembership)
-
-- [Command-Line Options](#bkmk-commandlineoptions)
-
-- [Environment Variables](#bkmk-environmentvariables)
-
-- [Offline.xml Elements](#bkmk-offlinexml)
-
-## What Will Migrate Offline?
-
-
-The following user data and settings migrate offline, similar to an online migration:
-
-- Data and registry keys specified in MigXML
-
-- User accounts
-
-- Application settings
-
-- Limited set of operating-system settings
-
-- EFS files
-
-- Internet Explorer® Favorites
-
-For exceptions to what you can migrate offline, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
-## What Offline Environments are Supported?
-
-
-The following table defines the supported combination of online and offline operating systems in USMT.
-
-
-
-
-
-
-**Note**
-It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](https://go.microsoft.com/fwlink/p/?LinkId=190314).
-
-
-
-## User-Group Membership and Profile Control
-
-
-User-group membership is not preserved during offline migrations. You must configure a **<ProfileControl>** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
-
-``` syntax
-
-
-
-
-Running Operating System
-Offline Operating System
-
-
-
-
-
-
-
-
-
-
-You can use only one of the **/offline**,**/offlineWinDir** , or **/OfflineWinOld** command-line options at a time; USMT does not support using more than one together.
-
-## Environment Variables
-
-
-The following system environment variables are necessary in the scenarios outlined below.
-
-
-
-
-
-Component
-Option
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-## Offline.xml Elements
-
-
-Use an offline.xml file when running the ScanState tool on a computer that has multiple Windows directories. The offline.xml file specifies which directories to scan for windows files. An offline.xml file can be used with the /offline option as an alternative to specifying a single Windows directory path with the /offlineDir option.
-
-### <offline>
-
-This element contains other elements that define how an offline migration is to be performed.
-
-Syntax: <offline> </offline>
-
-### <winDir>
-
-This element is a required child of **<offline>** and contains information about how the offline volume can be selected. The migration will be performed from the first element of **<winDir>** that contains a valid Windows system volume.
-
-Syntax: < winDir > </ winDir >
-
-### <path>
-
-This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool’s working directory.
-
-Syntax: <path> c:\\windows </path>
-
--or-
-
-Syntax, when used with the **<mappings>** element: <path> C:\\, D:\\ </path>
-
-### <mappings>
-
-This element is an optional child of **<offline>**. When specified, the **<mappings>** element will override the automatically detected WinPE drive mappings. Each child **<path>** element will provide a mapping from one system volume to another. Additionally, mappings between folders can be provided, since an entire volume can be mounted to a specific folder.
-
-Syntax: <mappings> </mappings>
-
-### <failOnMultipleWinDir>
-
-This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn’t present, the default behavior is that the migration does not fail.
-
-Syntax: <failOnMultipleWinDir>1</failOnMultipleWinDir> or Syntax: <failOnMultipleWinDir>0</failOnMultipleWinDir>
-
-### Offline .xml Example
-
-The following XML example illustrates some of the elements discussed earlier in this topic.
-
-``` syntax
-
-
-
-
-Variable
-Value
-Scenario
-
-
-Set USMT_WORKING_DIR=[path to working directory]
-
-
-Set MIG_OFFLINE_PLATFORM_ARCH=32
+
+
+
+
+**Note**
+It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](https://go.microsoft.com/fwlink/p/?LinkId=190314).
+
+
+
+## User-Group Membership and Profile Control
+
+
+User-group membership is not preserved during offline migrations. You must configure a **<ProfileControl>** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
+
+``` xml
+
+
+
+
+Running Operating System
+Offline Operating System
+
+
+
+
+
+
+
+
+
+
+You can use only one of the **/offline**,**/offlineWinDir** , or **/OfflineWinOld** command-line options at a time; USMT does not support using more than one together.
+
+## Environment Variables
+
+
+The following system environment variables are necessary in the scenarios outlined below.
+
+
+
+
+
+Component
+Option
+Description
+
+
+
+
+
+
+
+
+
+
+
+
+## Offline.xml Elements
+
+
+Use an offline.xml file when running the ScanState tool on a computer that has multiple Windows directories. The offline.xml file specifies which directories to scan for windows files. An offline.xml file can be used with the /offline option as an alternative to specifying a single Windows directory path with the /offlineDir option.
+
+### <offline>
+
+This element contains other elements that define how an offline migration is to be performed.
+
+Syntax: <offline> </offline>
+
+### <winDir>
+
+This element is a required child of **<offline>** and contains information about how the offline volume can be selected. The migration will be performed from the first element of **<winDir>** that contains a valid Windows system volume.
+
+Syntax: < winDir > </ winDir >
+
+### <path>
+
+This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool’s working directory.
+
+Syntax: <path> c:\\windows </path>
+
+-or-
+
+Syntax, when used with the **<mappings>** element: <path> C:\\, D:\\ </path>
+
+### <mappings>
+
+This element is an optional child of **<offline>**. When specified, the **<mappings>** element will override the automatically detected WinPE drive mappings. Each child **<path>** element will provide a mapping from one system volume to another. Additionally, mappings between folders can be provided, since an entire volume can be mounted to a specific folder.
+
+Syntax: <mappings> </mappings>
+
+### <failOnMultipleWinDir>
+
+This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn’t present, the default behavior is that the migration does not fail.
+
+Syntax: <failOnMultipleWinDir>1</failOnMultipleWinDir> or Syntax: <failOnMultipleWinDir>0</failOnMultipleWinDir>
+
+### Offline .xml Example
+
+The following XML example illustrates some of the elements discussed earlier in this topic.
+
+``` xml
+
+
+
+
+Variable
+Value
+Scenario
+
+
+Set USMT_WORKING_DIR=[path to working directory]
+
+
+Set MIG_OFFLINE_PLATFORM_ARCH=32
-
-
-
-
-For example, you can use all of the XML migration file types for a single migration, as in the following example:
-
-``` syntax
-Scanstate
-
-
-
-XML migration file
-Modifies the following components:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**Usage:**
-
-``` syntax
-MigXmlHelper.GenerateDocPatterns ("
-
-
-
-Setting
-Value
-Default Value
-
-
-
-<pattern type="File">C:\Program Files\Microsoft Office[.doc]</pattern>
-
-
-
-
-
-
-
-
-
-To exclude the new text document.txt file as well as any .txt files in “new folder”, you can do the following:
-
-**Example 1: Exclude all .txt files in a folder**
-
-To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
-
-``` syntax
-
-
-<pattern type="File">d:\new folder[new text document.txt]</pattern>
-
-
-<pattern type="File">d:\new folder[]</pattern>
+
+
+
+
+For example, you can use all of the XML migration file types for a single migration, as in the following example:
+
+```
+Scanstate
+
+
+
+XML migration file
+Modifies the following components:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**Usage:**
+
+```
+MigXmlHelper.GenerateDocPatterns ("
+
+
+
+Setting
+Value
+Default Value
+
+
+
+<pattern type="File">C:\Program Files\Microsoft Office[.doc]</pattern>
+
+
+
+
+
+
+
+
+
+To exclude the new text document.txt file as well as any .txt files in “new folder”, you can do the following:
+
+**Example 1: Exclude all .txt files in a folder**
+
+To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
+
+``` xml
+
+
+<pattern type="File">d:\new folder[new text document.txt]</pattern>
+
+
+<pattern type="File">d:\new folder[]</pattern>
-
-
-
-
-You use the **<fatal>** element to specify that errors matching a specific pattern should cause USMT to halt the migration.
-
-## <fileError>
-
-
-The **<fileError>** element is not required.
-
-- **Number of occurrences**: Once for each component
-
-- **Parent elements**: **<ErrorControl>**
-
-- **Child elements**: **<nonFatal>** and **<fatal>**
-
-Syntax: `
-
-
-
-Parameter
-Required
-Value
-
-
-
-
-
-
-
-
-You use the **<nonFatal>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
-
-## <registryError>
-
-
-The <registryError>element is not required.
-
-- **Number of occurrences**: Once for each component
-
-- **Parent elements**: **<ErrorControl>**
-
-- **Child elements**: **<nonfatal>** and **<fatal>**
-
-Syntax: `
-
-
-
-Parameter
-Required
-Value
-
-
-
-
-
-
-
-
-You use the **<registryError>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
-
-## <HardLinkStoreControl>
-
-
-The **<HardLinkStoreControl>** element contains elements that describe how to handle files during the creation of a hard-link migration store. Its only valid child is **<fileLocked>**.
-
-Syntax: `
-
-
-
-Parameter
-Required
-Value
-
-
-
-
-
-
-
-
-The valid and required children of **<changeGroup>** are **<include>** and **<exclude>**. Although both can be children at the same time, only one is required.
-
-Syntax: `
-
-
-
-Parameter
-Required
-Value
-
-
-
-
-
-
-
-
+
+
+
+
+You use the **<fatal>** element to specify that errors matching a specific pattern should cause USMT to halt the migration.
+
+## <fileError>
+
+
+The **<fileError>** element is not required.
+
+- **Number of occurrences**: Once for each component
+
+- **Parent elements**: **<ErrorControl>**
+
+- **Child elements**: **<nonFatal>** and **<fatal>**
+
+Syntax: `
+
+
+
+Parameter
+Required
+Value
+
+
+
+
+
+
+
+
+You use the **<nonFatal>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
+
+## <registryError>
+
+
+The <registryError>element is not required.
+
+- **Number of occurrences**: Once for each component
+
+- **Parent elements**: **<ErrorControl>**
+
+- **Child elements**: **<nonfatal>** and **<fatal>**
+
+Syntax: `
+
+
+
+Parameter
+Required
+Value
+
+
+
+
+
+
+
+
+You use the **<registryError>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
+
+## <HardLinkStoreControl>
+
+
+The **<HardLinkStoreControl>** element contains elements that describe how to handle files during the creation of a hard-link migration store. Its only valid child is **<fileLocked>**.
+
+Syntax: `
+
+
+
+Parameter
+Required
+Value
+
+
+
+
+
+
+
+
+The valid and required children of **<changeGroup>** are **<include>** and **<exclude>**. Although both can be children at the same time, only one is required.
+
+Syntax: `
+
+
+
+Parameter
+Required
+Value
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-If you have the following code in the same component
-Resulting behavior
-Explanation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-### Including and excluding registry objects
-
-
-
-
-
-If you have the following code in different components
-Resulting behavior
-Explanation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-If you have the following code in the same component
-Resulting behavior
-Explanation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## File collisions
-
-
-### What is the default behavior when there are file collisions?
-
-If there is not a <merge> rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on.
-
-### How does the <merge> rule work when there are file collisions?
-
-When a collision is detected, USMT will select the most specific <merge> rule and apply it to resolve the conflict. For example, if you have a <merge> rule for C:\\\* \[\*\] set to **sourcePriority()** and another <merge> rule for C:\\subfolder\\\* \[\*\] set to **destinationPriority()** , then USMT uses the destinationPriority() rule because it is the most specific.
-
-### Example scenario
-
-The source computer contains the following files:
-
-- C:\\Data\\SampleA.txt
-
-- C:\\Data\\SampleB.txt
-
-- C:\\Data\\Folder\\SampleB.txt
-
-The destination computer contains the following files:
-
-- C:\\Data\\SampleB.txt
-
-- C:\\Data\\Folder\\SampleB.txt
-
-You have a custom .xml file that contains the following code:
-
-``` syntax
-
-
-
-
-If you have the following code in different components
-Resulting behavior
-Explanation
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Conflicts and Precedence (Windows 10)
+description: Conflicts and Precedence
+ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Conflicts and Precedence
+
+
+When you include, exclude, and reroute files and settings, it is important to know how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. When working with USMT, the following are the most important conflicts and precedence guidelines to keep in mind.
+
+- **If there are conflicting rules within a component, the most specific rule is applied.** However, the <unconditionalExclude> rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting include and exclude rules?](#bkmk1) and the first example in [Include and exclude precedence examples](#precexamples)****later in this topic.
+
+- **Only rules inside the same component can affect each other, depending on specificity.** Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule.
+
+- **If the rules are equally specific, <exclude> takes precedence over <include>.** For example, if you use the <exclude> rule to exclude a file and use the <include> rule to include the same file, the file will be excluded.
+
+- **The ordering of components does not matter.** It does not matter which components are listed in which .xml file, because each component is processed independently of the other components across all of the .xml files.
+
+- **The ordering of the <include> and <exclude> rules within a component does not matter.**
+
+- **You can use the <unconditionalExclude> element to globally exclude data.** This element excludes objects, regardless of any other <include> rules that are in the .xml files. For example, you can use the <unconditionalExclude> element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData.
+
+## In This Topic
+
+
+**General**
+
+- [What is the relationship between rules that are located within different components?](#bkmk2)
+
+- [How does precedence work with the Config.xml file?](#bkmk3)
+
+- [How does USMT process each component in an .xml file with multiple components?](#bkmk4)
+
+- [How are rules processed?](#bkmk5)
+
+- [How does USMT combine all of the .xml files that I specify on the command line?](#bkmk6)
+
+**The <include> and <exclude> rules**
+
+- [What happens when there are conflicting include and exclude rules?](#bkmk1)
+
+- [<include> and <exclude> precedence examples](#precexamples)
+
+**File collisions**
+
+- [What is the default behavior when there are file collisions?](#collisions)
+
+- [How does the <merge> rule work when there are file collisions?](#bkmk11)
+
+## General
+
+
+### What is the relationship between rules that are located within different components?
+
+Only rules inside the same component can affect each other, depending on specificity, except for the <unconditionalExclude> rule. Rules that are in different components do not affect each other. If there is an <include> rule in one component and an identical <exclude> rule in another component, the data will be migrated because the two rules are independent of each other.
+
+If you have an <include> rule in one component and a <locationModify> rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the <include> rule, and it will be migrated based on the <locationModify> rule.
+
+The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the <exclude> rule is specified in a separate component.
+
+``` xml
+
-
-
-
-If you specify the following code
-Resulting behavior
-
-
-<merge script="MigXmlHelper.DestinationPriority()">
- <objectSet>
- <pattern type="File">c:\data* []</pattern>
- </objectSet>
-</merge>
-
-<merge script="MigXmlHelper.SourcePriority()">
- <objectSet>
- <pattern type="File">c:\data* []</pattern>
- </objectSet>
-</merge>
-
-
-<merge script="MigXmlHelper.SourcePriority()">
- <objectSet>
- <pattern type="File">c:\data\ [*]</pattern>
- </objectSet>
-</merge>
-
+
+
+
+
+
+
+
+
+If you have the following code in the same component
+Resulting behavior
+Explanation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+### Including and excluding registry objects
+
+
+
+
+
+If you have the following code in different components
+Resulting behavior
+Explanation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+If you have the following code in the same component
+Resulting behavior
+Explanation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## File collisions
+
+
+### What is the default behavior when there are file collisions?
+
+If there is not a <merge> rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on.
+
+### How does the <merge> rule work when there are file collisions?
+
+When a collision is detected, USMT will select the most specific <merge> rule and apply it to resolve the conflict. For example, if you have a <merge> rule for C:\\\* \[\*\] set to **sourcePriority()** and another <merge> rule for C:\\subfolder\\\* \[\*\] set to **destinationPriority()** , then USMT uses the destinationPriority() rule because it is the most specific.
+
+### Example scenario
+
+The source computer contains the following files:
+
+- C:\\Data\\SampleA.txt
+
+- C:\\Data\\SampleB.txt
+
+- C:\\Data\\Folder\\SampleB.txt
+
+The destination computer contains the following files:
+
+- C:\\Data\\SampleB.txt
+
+- C:\\Data\\Folder\\SampleB.txt
+
+You have a custom .xml file that contains the following code:
+
+``` xml
+
+
+
+
+If you have the following code in different components
+Resulting behavior
+Explanation
+
+
+
+
+
+
+
+
+
+
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index af14caacd3..66f4f18511 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -1,317 +1,318 @@
----
-title: Custom XML Examples (Windows 10)
-description: Custom XML Examples
-ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Custom XML Examples
-
-
-**Note**
-Because the tables in this topic are wide, you may need to adjust the width of its window.
-
-
-
-## In This Topic:
-
-
-- [Example 1: Migrating an Unsupported Application](#example)
-
-- [Example 2: Migrating the My Videos Folder](#example2)
-
-- [Example 3: Migrating Files and Registry Keys](#example3)
-
-- [Example 4: Migrating Specific Folders from Various Locations](#example4)
-
-## Example 1: Migrating an Unsupported Application
-
-
-The following is a template for the sections that you need to migrate your application. The template is not functional on its own, but you can use it to write your own .xml file.
-
-``` syntax
-
+
+
+
+If you specify the following code
+Resulting behavior
+
+
+<merge script="MigXmlHelper.DestinationPriority()">
+ <objectSet>
+ <pattern type="File">c:\data* []</pattern>
+ </objectSet>
+</merge>
+
+<merge script="MigXmlHelper.SourcePriority()">
+ <objectSet>
+ <pattern type="File">c:\data* []</pattern>
+ </objectSet>
+</merge>
+
+
+<merge script="MigXmlHelper.SourcePriority()">
+ <objectSet>
+ <pattern type="File">c:\data\ [*]</pattern>
+ </objectSet>
+</merge>
+
-
-
-
-
-```xml
-
-
-
-
-
-Code
-Behavior
-
-
-<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
-
-<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
-
-
-<pattern type="File">%CSIDL_MYVIDEO%* [*]</pattern>
-
-
-
-
-``` syntax
-
-
-
-
-Code
-Behavior
-
-
-<pattern type="File">%ProgramFiles%\USMTTestFolder* [USMTTestFile.txt]</pattern>
-
-<pattern type="File">%ProgramFiles%\USMTDIRTestFolder* []</pattern>
-
-<pattern type="Registry">HKCU\Software\USMTTESTKEY* [MyKey]</pattern>
-
-
-<pattern type="Registry">HKLM\Software\USMTTESTKEY* []</pattern>
+
+
+
+
+```xml
+
+
+
+
+
+Code
+Behavior
+
+
+<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
+
+<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
+
+
+<pattern type="File">%CSIDL_MYVIDEO%* [*]</pattern>
+
+
+
+
+``` xml
+
+
+
+
+Code
+Behavior
+
+
+<pattern type="File">%ProgramFiles%\USMTTestFolder* [USMTTestFile.txt]</pattern>
+
+<pattern type="File">%ProgramFiles%\USMTDIRTestFolder* []</pattern>
+
+<pattern type="Registry">HKCU\Software\USMTTESTKEY* [MyKey]</pattern>
+
+
+<pattern type="Registry">HKLM\Software\USMTTESTKEY* []</pattern>
-
-
-
-
-**Important**
-You must use the **/nocompress** option with the **/HardLink** option.
-
-
-
-The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
-
-``` syntax
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+**Important**
+You must use the **/nocompress** option with the **/HardLink** option.
+
+
+
+The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
+
+``` xml
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-**Note**
-You cannot store any of the log files in *StorePath*. If you do, the log will be overwritten when USMT is run.
-
-
-
-## ScanState and LoadState Logs
-
-
-ScanState and LoadState logs are text files that are create when you run the ScanState and LoadState tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see Monitoring Options in [ScanState Syntax](usmt-scanstate-syntax.md).
-
-## Progress Log
-
-
-You can create a progress log using the **/progress** option. External tools, such as Microsoft System Center Operations Manager 2007, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows:
-
-- **Date:** Date, in the format of *day* *shortNameOfTheMonth* *year*. For example: 08 Jun 2006.
-
-- **Local time:** Time, in the format of *hrs*:*minutes*:*seconds* (using a 24-hour clock). For example: 13:49:13.
-
-- **Migration time:** Duration of time that USMT was run, in the format of *hrs:minutes:seconds*. For example: 00:00:10.
-
-The remaining fields are key/value pairs as indicated in the following table.
-
-
-
-
-
-Command line Option
-File Name
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## List Files Log
-
-
-The List files log (Listfiles.txt) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for ScanState.exe.
-
-## Diagnostic Log
-
-
-You can obtain the diagnostic log by setting the environment variable MIG\_ENABLE\_DIAG to a path to an XML file.
-
-The diagnostic log contains:
-
-- Detailed system environment information
-
-- Detailed user environment information
-
-- Information about the migration units (migunits) being gathered and their contents
-
-## Using the Diagnostic Log
-
-
-The diagnostic log is essentially a report of all the migration units (migunits) included in the migration. A migunit is a collection of data that is identified by the component it is associated with in the XML files. The migration store is made up of all the migunits in the migration. The diagnostic log can be used to verify which migunits were included in the migration and can be used for troubleshooting while authoring migration XML files.
-
-The following examples describe common scenarios in which you can use the diagnostic log.
-
-**Why is this file not migrating when I authored an "include" rule for it?**
-
-Let’s imagine that we have the following directory structure and that we want the “data” directory to be included in the migration along with the “New Text Document.txt” file in the “New Folder.” The directory of **C:\\data** contains:
-
-``` syntax
-01/21/2009 10:08 PM
-
-
-
-Key
-Value
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+**Note**
+You cannot store any of the log files in *StorePath*. If you do, the log will be overwritten when USMT is run.
+
+
+
+## ScanState and LoadState Logs
+
+
+ScanState and LoadState logs are text files that are create when you run the ScanState and LoadState tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see Monitoring Options in [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## Progress Log
+
+
+You can create a progress log using the **/progress** option. External tools, such as Microsoft System Center Operations Manager 2007, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows:
+
+- **Date:** Date, in the format of *day* *shortNameOfTheMonth* *year*. For example: 08 Jun 2006.
+
+- **Local time:** Time, in the format of *hrs*:*minutes*:*seconds* (using a 24-hour clock). For example: 13:49:13.
+
+- **Migration time:** Duration of time that USMT was run, in the format of *hrs:minutes:seconds*. For example: 00:00:10.
+
+The remaining fields are key/value pairs as indicated in the following table.
+
+
+
+
+
+Command line Option
+File Name
+Description
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## List Files Log
+
+
+The List files log (Listfiles.txt) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for ScanState.exe.
+
+## Diagnostic Log
+
+
+You can obtain the diagnostic log by setting the environment variable MIG\_ENABLE\_DIAG to a path to an XML file.
+
+The diagnostic log contains:
+
+- Detailed system environment information
+
+- Detailed user environment information
+
+- Information about the migration units (migunits) being gathered and their contents
+
+## Using the Diagnostic Log
+
+
+The diagnostic log is essentially a report of all the migration units (migunits) included in the migration. A migunit is a collection of data that is identified by the component it is associated with in the XML files. The migration store is made up of all the migunits in the migration. The diagnostic log can be used to verify which migunits were included in the migration and can be used for troubleshooting while authoring migration XML files.
+
+The following examples describe common scenarios in which you can use the diagnostic log.
+
+**Why is this file not migrating when I authored an "include" rule for it?**
+
+Let’s imagine that we have the following directory structure and that we want the “data” directory to be included in the migration along with the “New Text Document.txt” file in the “New Folder.” The directory of **C:\\data** contains:
+
+```
+01/21/2009 10:08 PM
+
+
+
+Key
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-## <addObjects>
-
-
-The <addObjects> element emulates the existence of one or more objects on the source computer. The child <object> elements provide the details of the emulated objects. If the content is a <script> element, the result of the invocation will be an array of objects.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child elements:** [<object>](#object) In addition, you must specify [<location>](#location) and [<attribute>](#attribute) as child elements of this <object> element.
-
-- **Optional child elements:**[<conditions>](#conditions), <condition>, [<script>](#script)
-
-Syntax:
-
-<addObjects>
-
-</addObjects>
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-
-
-Elements A-K
-Elements L-Z
-Helper functions
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-```
-
-## <bytes>
-
-
-You must specify the <bytes> element only for files because, if <location> corresponds to a registry key or a directory, then <bytes> will be ignored.
-
-- **Number of occurrences:** zero or one
-
-- **Parent elements:**[<object>](#object)
-
-- **Child elements:** none
-
-Syntax:
-
-<bytes string="Yes|No" expand="Yes|No">*Content*</bytes>
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-```
-
-## <commandLine>
-
-
-You might want to use the <commandLine> element if you want to start or stop a service or application before or after you run the ScanState and LoadState tools.
-
-- **Number of occurrences:** unlimited
-
-- **Parent elements:**[<externalProcess>](#externalprocess)
-
-- **Child elements:** none****
-
-Syntax:
-
-<commandLine>*CommandLineString*</commandLine>
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-
-
-
-## <component>
-
-
-The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component.
-
-A component can be nested inside another component; that is, the <component> element can be a child of the <role> element within the <component> element in two cases: 1) when the parent <component> element is a container or 2) if the child <component> element has the same role as the parent <component> element.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<migration>](#migration), [<role>](#role)
-
-- **Required child elements:**[<role>](#role), [<displayName>](#displayname)
-
-- **Optional child elements:**[<manufacturer>](#manufacturer), [<version>](#version), [<description>](#description), [<paths>](#paths), [<icon>](#icon), [<environment>](#bkmk-environment), [<extensions>](#extensions)
-
-Syntax:
-
-<component type="System|Application|Device|Documents" context="User|System|UserAndSystem" defaultSupported="TRUE|FALSE|YES|NO"
-
-hidden="Yes|No">
-
-</component>
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-For an example, see any of the default migration .xml files.
-
-## <condition>
-
-
-Although the <condition> element under the <detect>, <objectSet>, and <addObjects> elements is supported, we recommend that you do not use it. This element might be deprecated in future versions of USMT, requiring you to rewrite your scripts. We recommend that, if you need to use a condition within the <objectSet> and <addObjects> elements, you use the more powerful [<conditions>](#conditions) element, which allows you to formulate complex Boolean statements.
-
-The <condition> element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return FALSE, the parent element will not be evaluated.
-
-- **Number of occurrences:** unlimited.
-
-- **Parent elements:**[<conditions>](#conditions), <detect>, <objectSet>, <addObjects>
-
-- **Child elements:** none
-
-- **Helper functions:** You can use the following [<condition> functions](#conditionfunctions) with this element: DoesOSMatch, IsNative64Bit(), IsOSLaterThan, IsOSEarlierThan, DoesObjectExist, DoesFileVersionMatch, IsFileVersionAbove, IsFileVersionBelow, IsSystemContext, DoesStringContentEqual, DoesStringContentContain, IsSameObject, IsSameContent, and IsSameStringContent.
-
-Syntax:
-
-<condition negation="Yes|No">*ScriptName*</condition>
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-For example,
-
-In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-~~~
-For example:
-
-<condition>MigXmlHelper.DoesOSMatch("NT","\*")</condition>
-~~~
-
-- **IsNative64Bit**
-
- The IsNative64Bit function returns TRUE if the migration process is running as a native 64-bit process; that is, a process running on a 64-bit system without Windows on Windows (WOW). Otherwise, it returns FALSE.
-
-- **IsOSLaterThan**
-
- All comparisons are case insensitive.
-
- Syntax: IsOSLaterThan("*OSType*","*OSVersion*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
- 5.0.2600.Service Pack 1. You can also specify partial specification of the version with a pattern. For example, 5.0.*.
-
-
-
-
-~~~
-For example:
-
-<condition negation="Yes">MigXmlHelper.IsOSLaterThan("NT","6.0")</condition>
-~~~
-
-- **IsOSEarlierThan**
-
- All comparisons are case insensitive.
-
- Syntax: IsOSEarlierThan("*OSType*","*OSVersion*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
- 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.
-
-
-
-
-### Object content functions
-
-- **DoesObjectExist**
-
- The DoesObjectExist function returns TRUE if any object exists that matches the location pattern. Otherwise, it returns FALSE. The location pattern is expanded before attempting the enumeration.
-
- Syntax: DoesObjectExist("*ObjectType*","*EncodedLocationPattern*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
- 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.
-
-
-
-
-~~~
-For an example of this element, see the MigApp.xml file.
-~~~
-
-- **DoesFileVersionMatch**
-
- The pattern check is case insensitive.
-
- Syntax: DoesFileVersionMatch("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-~~~
-For example:
-
-<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","6.\*")</condition>
-
-<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","7.\*")</condition>
-~~~
-
-- **IsFileVersionAbove**
-
- The IsFileVersionAbove function returns TRUE if the version of the file is higher than *VersionValue*.
-
- Syntax: IsFileVersionAbove("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-- **IsFileVersionBelow**
-
- Syntax: IsFileVersionBelow("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-- **IsSystemContext**
-
- The IsSystemContext function returns TRUE if the current context is "System". Otherwise, it returns FALSE.
-
- Syntax: IsSystemContext()
-
-- **DoesStringContentEqual**
-
- The DoesStringContentEqual function returns TRUE if the string representation of the given object is identical to `StringContent`.
-
- Syntax: DoesStringContentEqual("*ObjectType*","*EncodedLocation*","*StringContent*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-- **IsSameObject**
-
- The IsSameObject function returns TRUE if the given encoded locations resolve to the same physical object. Otherwise, it returns FALSE.
-
- Syntax: IsSameObject("*ObjectType*","*EncodedLocation1*","*EncodedLocation2*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-- **IsSameStringContent**
-
- The IsSameStringContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be interpreted as a string.
-
- Syntax: IsSameStringContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## <conditions>
-
-
-The <conditions> element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators AND or OR according to the **operation** parameter.
-
-- **Number of occurrences:** Unlimited inside another <conditions> element. Limited to one occurrence in [<detection>](#detection), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset)
-
-- **Parent elements:**[<conditions>](#conditions), [<detection>](#detection), [<environment>](#bkmk-environment), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset)
-
-- **Child elements:**[<conditions>](#conditions), [<condition>](#condition)
-
-Syntax:
-
-<conditions operation="AND|OR">
-
-</conditions>
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-### <content> functions
-
-The following functions generate patterns out of the content of an object. These functions are called for every object that the parent <ObjectSet> element is enumerating.
-
-- **ExtractSingleFile**
-
- If the registry value is a MULTI-SZ, only the first segment is processed. The returned pattern is the encoded location for a file that must exist on the system. If the specification is correct in the registry value, but the file does not exist, this function returns NULL.
-
- Syntax: ExtractSingleFile(*Separators*,*PathHints*)
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-, MyScripts.AScript ("Arg1","Arg2").
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-- **ExtractDirectory**
-
- The ExtractDirectory function returns a pattern that is the encoded location for a directory that must exist on the source computer. If the specification is correct in the registry value, but the directory does not exist, this function returns NULL. If it is processing a registry value that is a MULTI-SZ, only the first segment will be processed.
-
- Syntax: ExtractDirectory(*Separators*,*LevelsToTrim*,*PatternSuffix*)
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
- * [*].
-
-
-
-
-### <contentModify> functions
-
-The following functions change the content of objects as they are migrated. These functions are called for every object that the parent <ObjectSet> element is enumerating.
-
-- **ConvertToDWORD**
-
- The ConvertToDWORD function converts the content of registry values that are enumerated by the parent <ObjectSet> element to a DWORD. For example, ConvertToDWORD will convert the string "1" to the DWORD 0x00000001. If the conversion fails, then the value of DefaultValueOnError will be applied.
-
- Syntax: ConvertToDWORD(*DefaultValueOnError*)
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-, MyScripts.AScript ("Arg1","Arg2").
-
-
-
-
-- **ConvertToString**
-
- The ConvertToString function converts the content of registry values that match the parent <ObjectSet> element to a string. For example, it will convert the DWORD 0x00000001 to the string "1". If the conversion fails, then the value of DefaultValueOnError will be applied.
-
- Syntax: ConvertToString(*DefaultValueOnError*)
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-- **SetValueByTable**
-
- The SetValueByTable function matches the value from the source computer to the source table. If the value is there, the equivalent value in the destination table will be applied. If the value is not there, or if the destination table has no equivalent value, the *DefaultValueOnError* will be applied.
-
- Syntax: SetValueByTable(*SourceTable*,*DestinationTable*,*DefaultValueOnError*)
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
- OffsetValue(2).
-
-
-
-
-- **KeepExisting**
-
- You can use the KeepExisting function when there are conflicts on the destination computer. This function will keep (not overwrite) the specified attributes for the object that is on the destination computer.
-
- Syntax: KeepExisting("*OptionString*","*OptionString*","*OptionString*",…)
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-- **MergeMultiSzContent**
-
- The MergeMultiSzContent function merges the MULTI-SZ content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and `String` either remove or add content to the resulting MULTI-SZ. Duplicate elements will be removed.
-
- Syntax: MergeMultiSzContent (*Instruction*,*String*,*Instruction*,*String*,…)
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-- **MergeDelimitedContent**
-
- The MergeDelimitedContent function merges the content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. The content is considered a list of elements separated by one of the characters in the Delimiters parameter. Duplicate elements will be removed.
-
- Syntax: MergeDelimitedContent(*Delimiters*,*Instruction*,*String*,…)
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-## <description>
-
-
-The <description> element defines a description for the component but does not affect the migration.
-
-- **Number of occurrences:** zero or one
-
-- **Parent elements:**[<component>](#component)
-
-- **Child elements:** none
-
-Syntax:
-
-<description>*ComponentDescription*</description>
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-
-The following code sample shows how the <description> element defines the "My custom component" description.:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-For example:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-, MyScripts.AScript ("Arg1","Arg2").
-
-
-
-
-For examples, see the examples for [<detection>](#detection).
-
-## <detects>
-
-
-Although the <detects> element is still supported, we recommend that you do not use it because it may be deprecated in future versions of USMT, which would require you to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection) element if the parent element is <role> or <namedElements>, and we recommend that you use the <conditions> element if the parent element is <rules>. Using <detection> allows you to more clearly formulate complex Boolean statements.
-
-The <detects> element is a container for one or more <detect> elements. If all of the child <detect> elements within a <detects> element resolve to TRUE, then <detects> resolves to TRUE. If any of the child <detect> elements resolve to FALSE, then <detects> resolves to FALSE. If you do not want to write the <detects> elements within a component, then you can create the <detects> element under the <namedElements> element, and then refer to it. If there is no <detects> element section, then USMT will assume that the component is present. The results from each <detects> element are joined together by the OR operator to form the rule used to detect the parent element.
-
-Syntax:
-
-<detects name="*ID*" context="User|System|UserAndSystem">
-
-</detects>
-
-- **Number of occurrences:** Unlimited.
-
-- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements)
-
-- **Required child elements:** <detect>
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file.
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-
-
-For example:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-
-
-For example:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-##
-
-
-### Example scenario 1
-
-In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-
-For example, from the MigUser.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-, MyScripts.AScript ("Arg1","Arg2").
-
-
-
-
-Example:
-
-``` syntax
-
-
-
-
-Parameter
-Required?
-Value
-
-
-
-"Security","TimeFields":
-
-
-
-
-
-For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-For an example of how to use the <externalProcess> element, see the example for [<excludeAttributes>](#excludeattributes).
-
-## <icon>
-
-
-This is an internal USMT element. Do not use this element.
-
-## <include>
-
-
-The <include> element determines what to migrate, unless there is a more specific [<exclude>](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each <include> element there can be multiple <objectSet> elements.
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child element:**[<objectSet>](#objectset)
-
-- **Helper functions:** You can use the following [<include> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, and NeverRestore.
-
-Syntax:
-
-<include filter="*ScriptInvocation*">
-
-</include>
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-The following example is from the MigUser.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-, MyScripts.AScript ("Arg1","Arg2").
-
-
-
-
-- **IgnoreIrrelevantLinks**
-
- This filter screens out the .lnk files that point to an object that is not valid on the destination computer. Note that the screening takes place on the destination computer, so all .lnk files will be saved to the store during ScanState. Then they will be screened out when you run the LoadState tool.
-
- Syntax: IgnoreIrrelevantLinks ()
-
- For example:
-
- ``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
StringContent.StringContent.
-
-
-
-
-For an example of how to use the <includeAttributes> element, see the example for [<excludeAttributes>](#excludeattributes).
-
-## <library>
-
-
-This is an internal USMT element. Do not use this element.
-
-## <location>
-
-
-The <location> element defines the location of the <object> element.
-
-- **Number of occurrences:** once for each <object>
-
-- **Parent elements:**[<object>](#object)
-
-- **Child elements:**[<script>](#script)
-
-Syntax:
-
-<location type="*typeID*">*ObjectLocation*</location>
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-"Security","TimeFields":
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-, MyScripts.AScript ("Arg1","Arg2").
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-- **RelativeMove**
-
- You can use the RelativeMove function to collect and move data. Note that you can use environment variables in source and destination roots, but they may be defined differently on the source and destination computers.
-
- Syntax: RelativeMove(*SourceRoot*,*DestinationRoot*)
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-## <merge>
-
-
-The <merge> element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to "OriginalFileName(1).OriginalExtension". This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify <include> rules along with the <merge> element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a <merge> rule C:\\\* \[\*\] set to <sourcePriority> and a <merge> rule C:\\subfolder\\\* \[\*\] set to <destinationPriority>, then USMT would use the <destinationPriority> rule because it is the more specific.
-
-For an example of this element, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-- **Number of occurrences:** Unlimited
-
-- **Parent elements:**[<rules>](#rules)
-
-- **Required child element:**[<objectSet>](#objectset)
-
-- **Helper functions:** You can use the following [<merge> functions](#mergefunctions) with this element: SourcePriority, DestinationPriority, FindFilePlaceByPattern, LeafPattern, NewestVersion, HigherValue(), and LowerValue().
-
-Syntax:
-
-<merge script="*ScriptInvocation*">
-
-</merge>
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-The following example is from the MigUser.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-, MyScripts.AScript ("Arg1","Arg2").
-
-
-
-
-- **NewestVersion**
-
- The NewestVersion function will resolve conflicts on the destination computer based on the version of the file.
-
- Syntax: NewestVersion(*VersionTag*)
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
- <F> (<N>).<E> will change the source file MyDocument.doc into MyDocument (1).doc on the destination computer.
-
-
-
-
-- **HigherValue()**
-
- You can use this function for merging registry values. The registry values will be evaluated as numeric values, and the one with the higher value will determine which registry values will be merged.
-
-- **LowerValue()**
-
- You can use this function for merging registry values. The registry values will be evaluated as numeric values and the one with the lower value will determine which registry values will be merged.
-
-- **SourcePriority**
-
- Specifies to migrate the object from the source computer, and to delete the object that is on the destination computer.
-
- For example:
-
- ``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-``` syntax
-
-
-
-
-Helper Function
-MigXMLHelper.FileProperties (property, operator, valueToCompare)
-
-
-
-
-
-
-
-
-
-
-
-
-For example:
-
-- To migrate a single registry key:
-
- ``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
<pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.
-
-
-
-
-## <plugin>
-
-
-This is an internal USMT element. Do not use this element.
-
-## <role>
-
-
-The <role> element is required in a custom .xml file. By specifying the <role> element, you can create a concrete component. The component will be defined by the parameters specified at the <component> level, and with the role that you specify here.
-
-- **Number of occurrences:** Each <component> can have one, two or three child <role> elements.
-
-- **Parent elements:**[<component>](#component), [<role>](#role)
-
-- **Required child elements:**[<rules>](#rules)
-
-- **Optional child elements:**[<environment>](#bkmk-environment), [<detection>](#detection), [<component>](#component), [<role>](#role), <detects>, <plugin>,
-
-Syntax:
-
-<role role="Container|Binaries|Settings|Data">
-
-</role>
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-<component context="UserAndSystem" type="Application">
- <displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName>
- <environment name="GlobalEnv" />
- <role role="Container">
- <detection name="AnyOffice2003Version" />
- <detection name="FrontPage2003" />
- <!--
- Office 2003 Common Settings
- -->
- <component context="UserAndSystem" type="Application">
-
-
-
-
-The following example is from the MigUser.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-
-Examples:
-
-To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated.
-
-``` syntax
-
-```
-
-For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
-
-### <script> functions
-
-You can use the following functions with the <script> element
-
-- [String and pattern generating functions](#stringgeneratingfunctions)
-
-- [Simple executing scripts](#simple)
-
-### String and pattern generating functions
-
-These functions return either a string or a pattern.
-
-- **GetStringContent**
-
- You can use GetStringContent with <script> elements that are within <variable> elements. If possible, this function returns the string representation of the given object. Otherwise, it returns NULL. For file objects this function always returns NULL.
-
- Syntax: GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-, MyScripts.AScript ("Arg1","Arg2").
-
<pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.
-
-
-
-
-~~~
-For example:
-
-``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-
-~~~
-See the last component in the MigUser.xml file for an example of this element.
-~~~
-
-- **GenerateUserPatterns**
-
- The function will iterate through all users that are being migrated, excluding the currently processed user if <ProcessCurrentUser> is FALSE, and will expand the specified pattern in the context of each user. For example, if users A, B and C have profiles in C:\\Documents and Settings), by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns:
-
- - "C:\\Documents and Settings\\A\\\* \[\*.doc\]"
-
- - "C:\\Documents and Settings\\B\\\* \[\*.doc\]"
-
- - "C:\\Documents and Settings\\C\\\* \[\*.doc\]"
-
- Syntax:GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*")
-
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-~~~
-**Example:**
-
-If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile.
-
-The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
-
-``` syntax
-
-
-
-
- Setting
- Required?
- Value
-
-
-
-
-
-
-
-
-
-
-
-
-``` syntax
-
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
-
-
-
-
-
-
-
-
-For example:
-
-``` syntax
-
-
-
-
-Setting
-Value
-
-
-
-
-
-
-
-
-The following example is from the MigApp.xml file:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-MyComponent.InstallPath.
-
-
-
-
-
-
-
-For example:
-
-``` syntax
-
-
-
-
-Setting
-Required?
-Value
-
-
-
-
+
+
+
+
+## <addObjects>
+
+
+The <addObjects> element emulates the existence of one or more objects on the source computer. The child <object> elements provide the details of the emulated objects. If the content is a <script> element, the result of the invocation will be an array of objects.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child elements:** [<object>](#object) In addition, you must specify [<location>](#location) and [<attribute>](#attribute) as child elements of this <object> element.
+
+- **Optional child elements:**[<conditions>](#conditions), <condition>, [<script>](#script)
+
+Syntax:
+
+<addObjects>
+
+</addObjects>
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+
+
+Elements A-K
+Elements L-Z
+Helper functions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+```
+
+## <bytes>
+
+
+You must specify the <bytes> element only for files because, if <location> corresponds to a registry key or a directory, then <bytes> will be ignored.
+
+- **Number of occurrences:** zero or one
+
+- **Parent elements:**[<object>](#object)
+
+- **Child elements:** none
+
+Syntax:
+
+<bytes string="Yes|No" expand="Yes|No">*Content*</bytes>
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+```
+
+## <commandLine>
+
+
+You might want to use the <commandLine> element if you want to start or stop a service or application before or after you run the ScanState and LoadState tools.
+
+- **Number of occurrences:** unlimited
+
+- **Parent elements:**[<externalProcess>](#externalprocess)
+
+- **Child elements:** none****
+
+Syntax:
+
+<commandLine>*CommandLineString*</commandLine>
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+## <component>
+
+
+The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component.
+
+A component can be nested inside another component; that is, the <component> element can be a child of the <role> element within the <component> element in two cases: 1) when the parent <component> element is a container or 2) if the child <component> element has the same role as the parent <component> element.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<migration>](#migration), [<role>](#role)
+
+- **Required child elements:**[<role>](#role), [<displayName>](#displayname)
+
+- **Optional child elements:**[<manufacturer>](#manufacturer), [<version>](#version), [<description>](#description), [<paths>](#paths), [<icon>](#icon), [<environment>](#bkmk-environment), [<extensions>](#extensions)
+
+Syntax:
+
+<component type="System|Application|Device|Documents" context="User|System|UserAndSystem" defaultSupported="TRUE|FALSE|YES|NO"
+
+hidden="Yes|No">
+
+</component>
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+For an example, see any of the default migration .xml files.
+
+## <condition>
+
+
+Although the <condition> element under the <detect>, <objectSet>, and <addObjects> elements is supported, we recommend that you do not use it. This element might be deprecated in future versions of USMT, requiring you to rewrite your scripts. We recommend that, if you need to use a condition within the <objectSet> and <addObjects> elements, you use the more powerful [<conditions>](#conditions) element, which allows you to formulate complex Boolean statements.
+
+The <condition> element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return FALSE, the parent element will not be evaluated.
+
+- **Number of occurrences:** unlimited.
+
+- **Parent elements:**[<conditions>](#conditions), <detect>, <objectSet>, <addObjects>
+
+- **Child elements:** none
+
+- **Helper functions:** You can use the following [<condition> functions](#conditionfunctions) with this element: DoesOSMatch, IsNative64Bit(), IsOSLaterThan, IsOSEarlierThan, DoesObjectExist, DoesFileVersionMatch, IsFileVersionAbove, IsFileVersionBelow, IsSystemContext, DoesStringContentEqual, DoesStringContentContain, IsSameObject, IsSameContent, and IsSameStringContent.
+
+Syntax:
+
+<condition negation="Yes|No">*ScriptName*</condition>
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+For example,
+
+In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+~~~
+For example:
+
+<condition>MigXmlHelper.DoesOSMatch("NT","\*")</condition>
+~~~
+
+- **IsNative64Bit**
+
+ The IsNative64Bit function returns TRUE if the migration process is running as a native 64-bit process; that is, a process running on a 64-bit system without Windows on Windows (WOW). Otherwise, it returns FALSE.
+
+- **IsOSLaterThan**
+
+ All comparisons are case insensitive.
+
+ Syntax: IsOSLaterThan("*OSType*","*OSVersion*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+ 5.0.2600.Service Pack 1. You can also specify partial specification of the version with a pattern. For example, 5.0.*.
+
+
+
+
+~~~
+For example:
+
+<condition negation="Yes">MigXmlHelper.IsOSLaterThan("NT","6.0")</condition>
+~~~
+
+- **IsOSEarlierThan**
+
+ All comparisons are case insensitive.
+
+ Syntax: IsOSEarlierThan("*OSType*","*OSVersion*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+ 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.
+
+
+
+
+### Object content functions
+
+- **DoesObjectExist**
+
+ The DoesObjectExist function returns TRUE if any object exists that matches the location pattern. Otherwise, it returns FALSE. The location pattern is expanded before attempting the enumeration.
+
+ Syntax: DoesObjectExist("*ObjectType*","*EncodedLocationPattern*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+ 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.
+
+
+
+
+~~~
+For an example of this element, see the MigApp.xml file.
+~~~
+
+- **DoesFileVersionMatch**
+
+ The pattern check is case insensitive.
+
+ Syntax: DoesFileVersionMatch("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+~~~
+For example:
+
+<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","6.\*")</condition>
+
+<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","7.\*")</condition>
+~~~
+
+- **IsFileVersionAbove**
+
+ The IsFileVersionAbove function returns TRUE if the version of the file is higher than *VersionValue*.
+
+ Syntax: IsFileVersionAbove("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+- **IsFileVersionBelow**
+
+ Syntax: IsFileVersionBelow("*EncodedFileLocation*","*VersionTag*","*VersionValue*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+- **IsSystemContext**
+
+ The IsSystemContext function returns TRUE if the current context is "System". Otherwise, it returns FALSE.
+
+ Syntax: IsSystemContext()
+
+- **DoesStringContentEqual**
+
+ The DoesStringContentEqual function returns TRUE if the string representation of the given object is identical to `StringContent`.
+
+ Syntax: DoesStringContentEqual("*ObjectType*","*EncodedLocation*","*StringContent*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+- **IsSameObject**
+
+ The IsSameObject function returns TRUE if the given encoded locations resolve to the same physical object. Otherwise, it returns FALSE.
+
+ Syntax: IsSameObject("*ObjectType*","*EncodedLocation1*","*EncodedLocation2*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+- **IsSameStringContent**
+
+ The IsSameStringContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be interpreted as a string.
+
+ Syntax: IsSameStringContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## <conditions>
+
+
+The <conditions> element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators AND or OR according to the **operation** parameter.
+
+- **Number of occurrences:** Unlimited inside another <conditions> element. Limited to one occurrence in [<detection>](#detection), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset)
+
+- **Parent elements:**[<conditions>](#conditions), [<detection>](#detection), [<environment>](#bkmk-environment), [<rules>](#rules), [<addObjects>](#addobjects), and [<objectSet>](#objectset)
+
+- **Child elements:**[<conditions>](#conditions), [<condition>](#condition)
+
+Syntax:
+
+<conditions operation="AND|OR">
+
+</conditions>
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+### <content> functions
+
+The following functions generate patterns out of the content of an object. These functions are called for every object that the parent <ObjectSet> element is enumerating.
+
+- **ExtractSingleFile**
+
+ If the registry value is a MULTI-SZ, only the first segment is processed. The returned pattern is the encoded location for a file that must exist on the system. If the specification is correct in the registry value, but the file does not exist, this function returns NULL.
+
+ Syntax: ExtractSingleFile(*Separators*,*PathHints*)
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+, MyScripts.AScript ("Arg1","Arg2").
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+- **ExtractDirectory**
+
+ The ExtractDirectory function returns a pattern that is the encoded location for a directory that must exist on the source computer. If the specification is correct in the registry value, but the directory does not exist, this function returns NULL. If it is processing a registry value that is a MULTI-SZ, only the first segment will be processed.
+
+ Syntax: ExtractDirectory(*Separators*,*LevelsToTrim*,*PatternSuffix*)
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+ * [*].
+
+
+
+
+### <contentModify> functions
+
+The following functions change the content of objects as they are migrated. These functions are called for every object that the parent <ObjectSet> element is enumerating.
+
+- **ConvertToDWORD**
+
+ The ConvertToDWORD function converts the content of registry values that are enumerated by the parent <ObjectSet> element to a DWORD. For example, ConvertToDWORD will convert the string "1" to the DWORD 0x00000001. If the conversion fails, then the value of DefaultValueOnError will be applied.
+
+ Syntax: ConvertToDWORD(*DefaultValueOnError*)
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+, MyScripts.AScript ("Arg1","Arg2").
+
+
+
+
+- **ConvertToString**
+
+ The ConvertToString function converts the content of registry values that match the parent <ObjectSet> element to a string. For example, it will convert the DWORD 0x00000001 to the string "1". If the conversion fails, then the value of DefaultValueOnError will be applied.
+
+ Syntax: ConvertToString(*DefaultValueOnError*)
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+- **SetValueByTable**
+
+ The SetValueByTable function matches the value from the source computer to the source table. If the value is there, the equivalent value in the destination table will be applied. If the value is not there, or if the destination table has no equivalent value, the *DefaultValueOnError* will be applied.
+
+ Syntax: SetValueByTable(*SourceTable*,*DestinationTable*,*DefaultValueOnError*)
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+ OffsetValue(2).
+
+
+
+
+- **KeepExisting**
+
+ You can use the KeepExisting function when there are conflicts on the destination computer. This function will keep (not overwrite) the specified attributes for the object that is on the destination computer.
+
+ Syntax: KeepExisting("*OptionString*","*OptionString*","*OptionString*",…)
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+- **MergeMultiSzContent**
+
+ The MergeMultiSzContent function merges the MULTI-SZ content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and `String` either remove or add content to the resulting MULTI-SZ. Duplicate elements will be removed.
+
+ Syntax: MergeMultiSzContent (*Instruction*,*String*,*Instruction*,*String*,…)
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+- **MergeDelimitedContent**
+
+ The MergeDelimitedContent function merges the content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. The content is considered a list of elements separated by one of the characters in the Delimiters parameter. Duplicate elements will be removed.
+
+ Syntax: MergeDelimitedContent(*Delimiters*,*Instruction*,*String*,…)
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+## <description>
+
+
+The <description> element defines a description for the component but does not affect the migration.
+
+- **Number of occurrences:** zero or one
+
+- **Parent elements:**[<component>](#component)
+
+- **Child elements:** none
+
+Syntax:
+
+<description>*ComponentDescription*</description>
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+The following code sample shows how the <description> element defines the "My custom component" description.:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+For example:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+, MyScripts.AScript ("Arg1","Arg2").
+
+
+
+
+For examples, see the examples for [<detection>](#detection).
+
+## <detects>
+
+
+Although the <detects> element is still supported, we recommend that you do not use it because it may be deprecated in future versions of USMT, which would require you to rewrite your scripts. Instead, we recommend that you use the [<detection>](#detection) element if the parent element is <role> or <namedElements>, and we recommend that you use the <conditions> element if the parent element is <rules>. Using <detection> allows you to more clearly formulate complex Boolean statements.
+
+The <detects> element is a container for one or more <detect> elements. If all of the child <detect> elements within a <detects> element resolve to TRUE, then <detects> resolves to TRUE. If any of the child <detect> elements resolve to FALSE, then <detects> resolves to FALSE. If you do not want to write the <detects> elements within a component, then you can create the <detects> element under the <namedElements> element, and then refer to it. If there is no <detects> element section, then USMT will assume that the component is present. The results from each <detects> element are joined together by the OR operator to form the rule used to detect the parent element.
+
+Syntax:
+
+<detects name="*ID*" context="User|System|UserAndSystem">
+
+</detects>
+
+- **Number of occurrences:** Unlimited.
+
+- **Parent elements:**[<role>](#role), [<rules>](#rules), [<namedElements>](#namedelements)
+
+- **Required child elements:** <detect>
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file.
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+For example:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+For example:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+##
+
+
+### Example scenario 1
+
+In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+
+For example, from the MigUser.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+, MyScripts.AScript ("Arg1","Arg2").
+
+
+
+
+Example:
+
+``` xml
+
+
+
+
+Parameter
+Required?
+Value
+
+
+
+"Security","TimeFields":
+
+
+
+
+
+For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+For an example of how to use the <externalProcess> element, see the example for [<excludeAttributes>](#excludeattributes).
+
+## <icon>
+
+
+This is an internal USMT element. Do not use this element.
+
+## <include>
+
+
+The <include> element determines what to migrate, unless there is a more specific [<exclude>](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each <include> element there can be multiple <objectSet> elements.
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child element:**[<objectSet>](#objectset)
+
+- **Helper functions:** You can use the following [<include> filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, and NeverRestore.
+
+Syntax:
+
+<include filter="*ScriptInvocation*">
+
+</include>
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+The following example is from the MigUser.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+, MyScripts.AScript ("Arg1","Arg2").
+
+
+
+
+- **IgnoreIrrelevantLinks**
+
+ This filter screens out the .lnk files that point to an object that is not valid on the destination computer. Note that the screening takes place on the destination computer, so all .lnk files will be saved to the store during ScanState. Then they will be screened out when you run the LoadState tool.
+
+ Syntax: IgnoreIrrelevantLinks ()
+
+ For example:
+
+ ``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
StringContent.StringContent.
+
+
+
+
+For an example of how to use the <includeAttributes> element, see the example for [<excludeAttributes>](#excludeattributes).
+
+## <library>
+
+
+This is an internal USMT element. Do not use this element.
+
+## <location>
+
+
+The <location> element defines the location of the <object> element.
+
+- **Number of occurrences:** once for each <object>
+
+- **Parent elements:**[<object>](#object)
+
+- **Child elements:**[<script>](#script)
+
+Syntax:
+
+<location type="*typeID*">*ObjectLocation*</location>
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+"Security","TimeFields":
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+, MyScripts.AScript ("Arg1","Arg2").
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+- **RelativeMove**
+
+ You can use the RelativeMove function to collect and move data. Note that you can use environment variables in source and destination roots, but they may be defined differently on the source and destination computers.
+
+ Syntax: RelativeMove(*SourceRoot*,*DestinationRoot*)
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+## <merge>
+
+
+The <merge> element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to "OriginalFileName(1).OriginalExtension". This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify <include> rules along with the <merge> element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a <merge> rule C:\\\* \[\*\] set to <sourcePriority> and a <merge> rule C:\\subfolder\\\* \[\*\] set to <destinationPriority>, then USMT would use the <destinationPriority> rule because it is the more specific.
+
+For an example of this element, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+- **Number of occurrences:** Unlimited
+
+- **Parent elements:**[<rules>](#rules)
+
+- **Required child element:**[<objectSet>](#objectset)
+
+- **Helper functions:** You can use the following [<merge> functions](#mergefunctions) with this element: SourcePriority, DestinationPriority, FindFilePlaceByPattern, LeafPattern, NewestVersion, HigherValue(), and LowerValue().
+
+Syntax:
+
+<merge script="*ScriptInvocation*">
+
+</merge>
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+The following example is from the MigUser.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+, MyScripts.AScript ("Arg1","Arg2").
+
+
+
+
+- **NewestVersion**
+
+ The NewestVersion function will resolve conflicts on the destination computer based on the version of the file.
+
+ Syntax: NewestVersion(*VersionTag*)
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+ <F> (<N>).<E> will change the source file MyDocument.doc into MyDocument (1).doc on the destination computer.
+
+
+
+
+- **HigherValue()**
+
+ You can use this function for merging registry values. The registry values will be evaluated as numeric values, and the one with the higher value will determine which registry values will be merged.
+
+- **LowerValue()**
+
+ You can use this function for merging registry values. The registry values will be evaluated as numeric values and the one with the lower value will determine which registry values will be merged.
+
+- **SourcePriority**
+
+ Specifies to migrate the object from the source computer, and to delete the object that is on the destination computer.
+
+ For example:
+
+ ``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+``` xml
+
+
+
+
+Helper Function
+MigXMLHelper.FileProperties (property, operator, valueToCompare)
+
+
+
+
+
+
+
+
+
+
+
+
+For example:
+
+- To migrate a single registry key:
+
+ ``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
<pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.
+
+
+
+
+## <plugin>
+
+
+This is an internal USMT element. Do not use this element.
+
+## <role>
+
+
+The <role> element is required in a custom .xml file. By specifying the <role> element, you can create a concrete component. The component will be defined by the parameters specified at the <component> level, and with the role that you specify here.
+
+- **Number of occurrences:** Each <component> can have one, two or three child <role> elements.
+
+- **Parent elements:**[<component>](#component), [<role>](#role)
+
+- **Required child elements:**[<rules>](#rules)
+
+- **Optional child elements:**[<environment>](#bkmk-environment), [<detection>](#detection), [<component>](#component), [<role>](#role), <detects>, <plugin>,
+
+Syntax:
+
+<role role="Container|Binaries|Settings|Data">
+
+</role>
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+<component context="UserAndSystem" type="Application">
+ <displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName>
+ <environment name="GlobalEnv" />
+ <role role="Container">
+ <detection name="AnyOffice2003Version" />
+ <detection name="FrontPage2003" />
+ <!--
+ Office 2003 Common Settings
+ -->
+ <component context="UserAndSystem" type="Application">
+
+
+
+
+The following example is from the MigUser.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+
+Examples:
+
+To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated.
+
+``` xml
+
+```
+
+For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
+
+### <script> functions
+
+You can use the following functions with the <script> element
+
+- [String and pattern generating functions](#stringgeneratingfunctions)
+
+- [Simple executing scripts](#simple)
+
+### String and pattern generating functions
+
+These functions return either a string or a pattern.
+
+- **GetStringContent**
+
+ You can use GetStringContent with <script> elements that are within <variable> elements. If possible, this function returns the string representation of the given object. Otherwise, it returns NULL. For file objects this function always returns NULL.
+
+ Syntax: GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+, MyScripts.AScript ("Arg1","Arg2").
+
<pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.
+
+
+
+
+~~~
+For example:
+
+``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+~~~
+See the last component in the MigUser.xml file for an example of this element.
+~~~
+
+- **GenerateUserPatterns**
+
+ The function will iterate through all users that are being migrated, excluding the currently processed user if <ProcessCurrentUser> is FALSE, and will expand the specified pattern in the context of each user. For example, if users A, B and C have profiles in C:\\Documents and Settings), by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns:
+
+ - "C:\\Documents and Settings\\A\\\* \[\*.doc\]"
+
+ - "C:\\Documents and Settings\\B\\\* \[\*.doc\]"
+
+ - "C:\\Documents and Settings\\C\\\* \[\*.doc\]"
+
+ Syntax:GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*")
+
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+~~~
+**Example:**
+
+If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile.
+
+The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
+
+``` xml
+
+
+
+
+ Setting
+ Required?
+ Value
+
+
+
+
+
+
+
+
+
+
+
+
+``` xml
+
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+For example:
+
+``` xml
+
+
+
+
+Setting
+Value
+
+
+
+
+
+
+
+
+The following example is from the MigApp.xml file:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+MyComponent.InstallPath.
+
+
+
+
+
+
+
+For example:
+
+``` xml
+
+
+
+
+Setting
+Required?
+Value
+
+
+
+
[Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10)
[Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client)
[VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index ddb22cbbbb..87eea0e845 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -75,7 +75,7 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Stop-Process -Name Explorer
```
-2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/en-us/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
+2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
@@ -638,7 +638,7 @@ Deployment logs are available on the client computer in the following locations:
You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
-Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012)
+Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012)
Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index d9a32a74be..929b097d58 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -72,7 +72,7 @@ Topics and procedures in this guide are summarized in the following table. An es
>If the request to add features fails, retry the installation by typing the command again.
-2. Download [SQL Server 2014 SP2](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
+2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```
@@ -126,7 +126,7 @@ Topics and procedures in this guide are summarized in the following table. An es
Stop-Process -Name Explorer
```
-2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index b12b80110d..7a4fb81ed7 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -224,9 +224,9 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
### Download VHD and ISO files
-When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account.
+When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account.
-1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
+1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
**Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
@@ -238,7 +238,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
-4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
+4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
>During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 198a7e9aa2..11ef79b654 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -105,8 +105,8 @@ If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade ben
With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
-- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)
-- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing)
+- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)
+- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing)
You can benefit by moving to Windows as an online service in the following ways:
@@ -215,12 +215,12 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
## Related topics
[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index a8090d1812..6d2dc8e363 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -26,7 +26,7 @@ Before deploying a device using Windows Autopilot, the device must be registered
## OEM registration
-When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot).
+When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/windowsforbusiness/windows-autopilot).
Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization).
diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
index cc781ed87e..563e086966 100644
--- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
+++ b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
@@ -1,45 +1,46 @@
----
-title: Windows Autopilot device guidelines
-ms.reviewer:
-manager: laurawi
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot device guidelines
-
-**Applies to**
-
-- Windows 10
-
-## Hardware and firmware best practice guidelines for Windows Autopilot
-
-All devices used with Windows Autopilot should meet the [minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) for Windows 10.
-
-The following additional best practices ensure that devices can easily be provisioned by organizations as part of the Windows Autopilot deployment process:
-- Ensure that the TPM 2.0 is enabled and in a good state (not in Reduced Functionality Mode) by default on devices intended for Windows Autopilot self-deploying mode.
-- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) or PKID + SmbiosSystemSerialNumber into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h).
-- The OEM uploads 4K Hardware Hashes obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner.
-- As a best practice, Microsoft requires that OEM shipping drivers are published to Windows Update within 30 days of the CBR being submitted, and system firmware and driver updates are published to Windows Update within 14 days
-- The OEM ensures that the PKID provisioned in the SMBIOS is passed on to the channel.
-
-## Software best practice guidelines for Windows Autopilot
-
-- The Windows Autopilot device should be preinstalled with only a Windows 10 base image plus drivers and Office 365 Pro Plus Retail (C2R).
-- Unless explicitly requested by the customer, no other preinstalled software should be included.
- - Per OEM Policy, Windows 10 features, including built-in apps, should not be disabled or removed.
-
-## Related topics
-
-[Windows Autopilot customer consent](registration-auth.md)
-[Motherboard replacement scenario guidance](autopilot-mbr.md)
+---
+title: Windows Autopilot device guidelines
+ms.reviewer:
+manager: laurawi
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot device guidelines
+
+**Applies to**
+
+- Windows 10
+
+## Hardware and firmware best practice guidelines for Windows Autopilot
+
+All devices used with Windows Autopilot should meet the [minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) for Windows 10.
+
+The following additional best practices ensure that devices can easily be provisioned by organizations as part of the Windows Autopilot deployment process:
+- Ensure that the TPM 2.0 is enabled and in a good state (not in Reduced Functionality Mode) by default on devices intended for Windows Autopilot self-deploying mode.
+- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) or PKID + SmbiosSystemSerialNumber into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h).
+- The OEM uploads 4K Hardware Hashes obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner.
+- As a best practice, Microsoft requires that OEM shipping drivers are published to Windows Update within 30 days of the CBR being submitted, and system firmware and driver updates are published to Windows Update within 14 days
+- The OEM ensures that the PKID provisioned in the SMBIOS is passed on to the channel.
+
+## Software best practice guidelines for Windows Autopilot
+
+- The Windows Autopilot device should be preinstalled with only a Windows 10 base image plus drivers and Office 365 Pro Plus Retail (C2R).
+- Unless explicitly requested by the customer, no other preinstalled software should be included.
+ - Per OEM Policy, Windows 10 features, including built-in apps, should not be disabled or removed.
+
+## Related topics
+
+[Windows Autopilot customer consent](registration-auth.md)
+[Motherboard replacement scenario guidance](autopilot-mbr.md)
diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md
index b3e02db65f..b93ac48408 100644
--- a/windows/deployment/windows-autopilot/autopilot-support.md
+++ b/windows/deployment/windows-autopilot/autopilot-support.md
@@ -7,7 +7,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: low
ms.sitesec: library
ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.author: greglin
ms.date: 10/31/2018
ms.reviewer:
@@ -29,9 +30,8 @@ Before contacting the resources listed below for Windows Autopilot-related issue
|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. |
| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
Low – 120 hours
Normal – 72 hours
High – 24 hours
Immediate – 4 hours |
-| OEM with a PFE | Reach out to your PFE for support. |
| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). |
-| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. |
+| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. To learn more about Ecosystem PMs and the services they offer, contact epsoinfo@microsoft.com. |
| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. |
| End-user | Contact your IT administrator. |
| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. |
diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md
index 7e85f7099d..234ae17fcc 100644
--- a/windows/deployment/windows-autopilot/bitlocker.md
+++ b/windows/deployment/windows-autopilot/bitlocker.md
@@ -1,54 +1,54 @@
----
-title: Setting the BitLocker encryption algorithm for Autopilot devices
-ms.reviewer:
-manager: laurawi
-description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices.
-keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10
-ms.prod: w10
-ms.technology: Windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Setting the BitLocker encryption algorithm for Autopilot devices
-
-**Applies to**
-
-- Windows 10
-
-With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins.
-
-The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.
-
-To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices:
-
-1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
-2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
-3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
- - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
-
-An example of Microsoft Intune Windows Encryption settings is shown below.
-
- 
-
-Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm.
-
-The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable.
-
-Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**.
-
-## Requirements
-
-Windows 10, version 1809 or later.
-
-## See also
-
-[Bitlocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
+---
+title: Setting the BitLocker encryption algorithm for Autopilot devices
+ms.reviewer:
+manager: laurawi
+description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices.
+keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Setting the BitLocker encryption algorithm for Autopilot devices
+
+**Applies to**
+
+- Windows 10
+
+With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins.
+
+The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.
+
+To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices:
+
+1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
+2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
+ - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
+3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
+ - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
+
+An example of Microsoft Intune Windows Encryption settings is shown below.
+
+ 
+
+Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm.
+
+The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable.
+
+Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**.
+
+## Requirements
+
+Windows 10, version 1809 or later.
+
+## See also
+
+[Bitlocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 5b29de8d83..294a31c04b 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,850 +1,850 @@
----
-title: Demonstrate Autopilot deployment
-ms.reviewer:
-manager: laurawi
-description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
-ms.custom: autopilot
----
-
-
-# Demonstrate Autopilot deployment
-
-**Applies to**
-
-- Windows 10
-
-To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
-
-In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
-
->Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
-
-The following video provides an overview of the process:
-
-
-
-
->For a list of terms used in this guide, see the [Glossary](#glossary) section.
-
-## Prerequisites
-
-These are the things you'll need to complete this lab:
-
-
-## Procedures
-
-A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
-
-[Verify support for Hyper-V](#verify-support-for-hyper-v)
-Windows 10 installation media Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise. Internet access If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet. Hyper-V or a physical device running Windows 10 The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V. A Premium Intune account This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
[Enable Hyper-V](#enable-hyper-v)
-
[Create a demo VM](#create-a-demo-vm)
-
[Set ISO file location](#set-iso-file-location)
-
[Determine network adapter name](#determine-network-adapter-name)
-
[Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
-
[Install Windows 10](#install-windows-10)
-
[Capture the hardware ID](#capture-the-hardware-id)
-
[Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
-
[Verify subscription level](#verify-subscription-level)
-
[Configure company branding](#configure-company-branding)
-
[Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
-
[Register your VM](#register-your-vm)
-
[Autopilot registration using Intune](#autopilot-registration-using-intune)
-
[Autopilot registration using MSfB](#autopilot-registration-using-msfb)
-
[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
-
[Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-
[Assign the profile](#assign-the-profile)
-
[Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
-
[See Windows Autopilot in action](#see-windows-autopilot-in-action)
-
[Remove devices from Autopilot](#remove-devices-from-autopilot)
-
[Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
-
[Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
-
[Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
-
[Add a Win32 app](#add-a-win32-app)
-
[Prepare the app for Intune](#prepare-the-app-for-intune)
-
[Create app in Intune](#create-app-in-intune)
-
[Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
-
[Add Office 365](#add-office-365)
-
[Create app in Intune](#create-app-in-intune)
-
[Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
-
[Glossary](#glossary)
-
-## Verify support for Hyper-V
-
-If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
-
->If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
-
-If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
-
-## Enable Hyper-V
-
-To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command:
-
-```powershell
-Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
-```
-
-This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command:
-
-```powershell
-Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
-```
-
-When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
-
->Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
-
- 
-
- 
-
-
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
-
-```powershell
-New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
-New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-Start-VM -VMName WindowsAutopilot
-```
-
-After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager.
-
-See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
-
-
-PS C:\autopilot> dir c:\iso
-
-
- Directory: C:\iso
-
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
--a---- 3/12/2019 2:46 PM 4627343360 win10-eval.iso
-
-PS C:\autopilot> (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
-Ethernet
-PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
-
-Name SwitchType NetAdapterInterfaceDescription
----- ---------- ------------------------------
-AutopilotExternal External Intel(R) Ethernet Connection (2) I218-LM
-
-PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-
-Name State CPUUsage(%) MemoryAssigned(M) Uptime Status Version
----- ----- ----------- ----------------- ------ ------ -------
-WindowsAutopilot Off 0 0 00:00:00 Operating normally 8.0
-
-PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-PS C:\autopilot> Start-VM -VMName WindowsAutopilot
-PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
-PS C:\autopilot> dir
-
- Directory: C:\autopilot
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
-d----- 3/12/2019 3:15 PM VMData
-d----- 3/12/2019 3:42 PM VMs
-
-PS C:\autopilot>
-
-
-### Install Windows 10
-
-Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
-
- 
- 
- 
- 
- 
- 
-
->After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
-
- 
-
-Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
-
- 
-
-To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
-
-```powershell
-Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
-```
-
-Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
-
-## Capture the hardware ID
-
->NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
-
-Follow these steps to run the PS script:
-
-1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
-
- ```powershell
- md c:\HWID
- Set-Location c:\HWID
- Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
- Install-Script -Name Get-WindowsAutopilotInfo -Force
- $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
- Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
- ```
-
-When you are prompted to install the NuGet package, choose **Yes**.
-
-See the sample output below.
-
-
-PS C:\> md c:\HWID
-
- Directory: C:\
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
-d----- 3/14/2019 11:33 AM HWID
-
-PS C:\> Set-Location c:\HWID
-PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-
-NuGet provider is required to continue
-PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
- provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
- 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-import the NuGet provider now?
-[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
-PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-PS C:\HWID> dir
-
- Directory: C:\HWID
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
--a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
-
-PS C:\HWID>
-
-
-Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
-
-**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
-
-
-
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
-
-If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
-
->[!NOTE]
->When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
-
-## Reset the VM back to Out-Of-Box-Experience (OOBE)
-
-With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
-
-On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
-Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
-
-
-
-Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
-
-
-
-## Verify subscription level
-
-For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
-
-**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
-
-
-
-If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
-
-To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
-
-
-
-## Configure company branding
-
-If you already have company branding configured in Azure Active Directory, you can skip this step.
-
->[!IMPORTANT]
->Make sure to sign-in with a Global Administrator account.
-
-Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
-
-
-
-When you are finished, click **Save**.
-
->[!NOTE]
->Changes to company branding can take up to 30 minutes to apply.
-
-## Configure Microsoft Intune auto-enrollment
-
-If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
-
-Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
-
-For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
-
-
-
-## Register your VM
-
-Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB.
-
-### Autopilot registration using Intune
-
-1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
-
- 
-
- >[!NOTE]
- >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
-
-2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
-
- 
-
- You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
-
-3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
-
-4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
-
- 
-
-### Autopilot registration using MSfB
-
->[!IMPORTANT]
->If you've already registered your VM (or device) using Intune, then skip this step.
-
-Optional: see the following video for an overview of the process.
-
-
-
-> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
-
-First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one.
-
-Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
-
-Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
-
-
-
-Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
-
-
-
-## Create and assign a Windows Autopilot deployment profile
-
->[!IMPORTANT]
->Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
-
-Pick one:
-- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
-
-### Create a Windows Autopilot deployment profile using Intune
-
->[!NOTE]
->Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
-
-
-
->The example above lists both a physical device and a VM. Your list should only include only one of these.
-
-To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
-
-
-
-Click on **Create profile**.
-
-
-
-On the **Create profile** blade, use the following values:
-
-| Setting | Value |
-|---|---|
-| Name | Autopilot Lab profile |
-| Description | blank |
-| Convert all targeted devices to Autopilot | No |
-| Deployment mode | User-driven |
-| Join to Azure AD as | Azure AD joined |
-
-Click on **Out-of-box experience (OOBE)** and configure the following settings:
-
-| Setting | Value |
-|---|---|
-| EULA | Hide |
-| Privacy Settings | Hide |
-| Hide change account options | Hide |
-| User account type | Standard |
-| Apply device name template | No |
-
-See the following example:
-
-
-
-Click on **OK** and then click on **Create**.
-
->If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
-
-#### Assign the profile
-
-Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
-
-To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
-
-
-
-Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
-
-Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
-
-
-
-Now click **Create** to finish creating the new group.
-
-Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
-
-With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
-
-From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
-
-
-
-Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
-
-
-
-Click **Select** and then click **Save**.
-
-
-
-It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
-
-### Create a Windows Autopilot deployment profile using MSfB
-
-If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
-
-A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
-
-First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
-
-Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
-
-
-
-Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
-
-To CREATE the profile:
-
-Select your device from the **Devices** list:
-
-
-
-On the Autopilot deployment dropdown menu, select **Create new profile**:
-
-
-
-Name the profile, choose your desired settings, and then click **Create**:
-
-
-
-The new profile is added to the Autopilot deployment list.
-
-To ASSIGN the profile:
-
-To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
-
-
-
-Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
-
-
-
->[!IMPORTANT]
->The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
-
-## See Windows Autopilot in action
-
-If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
-
-
-
-Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
-
->[!TIP]
->If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
-
-- Ensure your device has an internet connection.
-- Turn on the device
-- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-
-
-
-Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
-
-
-
-Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
-
-Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
-
-## Remove devices from Autopilot
-
-To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
-
-### Delete (deregister) Autopilot device
-
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
-
-
-
-Click **X** when challenged to complete the operation:
-
-
-
-This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-
-
-
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
-
-To remove the device from the Autopilot program, select the device and click Delete.
-
-
-
-A warning message appears reminding you to first remove the device from Intune, which we previously did.
-
-
-
-At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
-
-
-
-Once the device no longer appears, you are free to reuse it for other purposes.
-
-If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
-
-
-
-## Appendix A: Verify support for Hyper-V
-
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
-
-To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
-
-C:>systeminfo
-
-...
-Hyper-V Requirements: VM Monitor Mode Extensions: Yes
- Virtualization Enabled In Firmware: Yes
- Second Level Address Translation: Yes
- Data Execution Prevention Available: Yes
-
-
-In this example, the computer supports SLAT and Hyper-V.
-
->If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-
-You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
-
-
-C:>coreinfo -v
-
-Coreinfo v3.31 - Dump information on system CPU and memory topology
-Copyright (C) 2008-2014 Mark Russinovich
-Sysinternals - www.sysinternals.com
-
-Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-Microcode signature: 0000001B
-HYPERVISOR - Hypervisor is present
-VMX * Supports Intel hardware-assisted virtualization
-EPT * Supports Intel extended page tables (SLAT)
-
-
-Note: A 64-bit operating system is required to run Hyper-V.
-
-## Appendix B: Adding apps to your profile
-
-### Add a Win32 app
-
-#### Prepare the app for Intune
-
-Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
-
-1. The source folder for your application
-2. The name of the setup executable file
-3. The output folder for the new file
-
-For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
-
-Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi.
-
-Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
-
-
-After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
-
-#### Create app in Intune
-
-Log into the Azure portal and select **Intune**.
-
-Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
-
-
-Under **App Type**, select **Windows app (Win32)**:
-
-
-
-On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
-
-
-On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
-
-
-On the **Program Configuration** blade, supply the install and uninstall commands:
-
-Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
-Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
-
-NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
-
-
-Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
-
-Click **OK** to save your input and activate the **Requirements** blade.
-
-On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
-
-
-Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
-
-
-Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
-
-
-Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
-
-**Return codes**: For our purposes, leave the return codes at their default values:
-
-
-
-Click **OK** to exit.
-
-You may skip configuring the final **Scope (Tags)** blade.
-
-Click the **Add** button to finalize and save your app package.
-
-Once the indicator message says the addition has completed.
-
-
-
-You will be able to find your app in your app list:
-
-
-
-#### Assign the app to your Intune profile
-
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
-In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
-
-
-Select **Add Group** to open the **Add group** pane that is related to the app.
-
-For our purposes, select *8Required** from the **Assignment type** dropdown menu:
-
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
-
-Select **Included Groups** and assign the groups you previously created that will use this app:
-
-
-
-
-
-In the **Select groups** pane, click the **Select** button.
-
-In the **Assign group** pane, select **OK**.
-
-In the **Add group** pane, select **OK**.
-
-In the app **Assignments** pane, select **Save**.
-
-
-
-At this point, you have completed steps to add a Win32 app to Intune.
-
-For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management).
-
-### Add Office 365
-
-#### Create app in Intune
-
-Log into the Azure portal and select **Intune**.
-
-Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
-
-
-Under **App Type**, select **Office 365 Suite > Windows 10**:
-
-
-
-Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
-
-
-Click **OK**.
-
-In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
-
->Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
-
-
-Click **OK**.
-
-In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
-
-
-Click **OK** and then click **Add**.
-
-#### Assign the app to your Intune profile
-
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
-In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
-
-
-Select **Add Group** to open the **Add group** pane that is related to the app.
-
-For our purposes, select **Required** from the **Assignment type** dropdown menu:
-
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
-
-Select **Included Groups** and assign the groups you previously created that will use this app:
-
-
-
-
-
-In the **Select groups** pane, click the **Select** button.
-
-In the **Assign group** pane, select **OK**.
-
-In the **Add group** pane, select **OK**.
-
-In the app **Assignments** pane, select **Save**.
-
-
-
-At this point, you have completed steps to add Office to Intune.
-
-For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365).
-
-If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
-
-
-## Glossary
-
-
-
+---
+title: Demonstrate Autopilot deployment
+ms.reviewer:
+manager: laurawi
+description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+ms.custom: autopilot
+---
+
+
+# Demonstrate Autopilot deployment
+
+**Applies to**
+
+- Windows 10
+
+To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
+
+In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
+
+>Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
+
+The following video provides an overview of the process:
+
+
+
+
+>For a list of terms used in this guide, see the [Glossary](#glossary) section.
+
+## Prerequisites
+
+These are the things you'll need to complete this lab:
+OEM Original Equipment Manufacturer CSV Comma Separated Values MPC Microsoft Partner Center CSP Cloud Solution Provider MSfB Microsoft Store for Business AAD Azure Active Directory 4K HH 4K Hardware Hash CBR Computer Build Report EC Enterprise Commerce (server) DDS Device Directory Service OOBE Out of the Box Experience VM Virtual Machine
+
+## Procedures
+
+A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
+
+[Verify support for Hyper-V](#verify-support-for-hyper-v)
+Windows 10 installation media Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise. Internet access If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet. Hyper-V or a physical device running Windows 10 The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V. A Premium Intune account This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
[Enable Hyper-V](#enable-hyper-v)
+
[Create a demo VM](#create-a-demo-vm)
+
[Set ISO file location](#set-iso-file-location)
+
[Determine network adapter name](#determine-network-adapter-name)
+
[Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
+
[Install Windows 10](#install-windows-10)
+
[Capture the hardware ID](#capture-the-hardware-id)
+
[Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
+
[Verify subscription level](#verify-subscription-level)
+
[Configure company branding](#configure-company-branding)
+
[Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
+
[Register your VM](#register-your-vm)
+
[Autopilot registration using Intune](#autopilot-registration-using-intune)
+
[Autopilot registration using MSfB](#autopilot-registration-using-msfb)
+
[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
+
[Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+
[Assign the profile](#assign-the-profile)
+
[Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+
[See Windows Autopilot in action](#see-windows-autopilot-in-action)
+
[Remove devices from Autopilot](#remove-devices-from-autopilot)
+
[Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
+
[Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
+
[Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
+
[Add a Win32 app](#add-a-win32-app)
+
[Prepare the app for Intune](#prepare-the-app-for-intune)
+
[Create app in Intune](#create-app-in-intune)
+
[Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+
[Add Office 365](#add-office-365)
+
[Create app in Intune](#create-app-in-intune)
+
[Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+
[Glossary](#glossary)
+
+## Verify support for Hyper-V
+
+If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
+
+>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
+
+If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
+
+## Enable Hyper-V
+
+To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command:
+
+```powershell
+Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
+```
+
+This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command:
+
+```powershell
+Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+```
+
+When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
+
+>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+
+ 
+
+ 
+
+
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
+
+```powershell
+New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+Start-VM -VMName WindowsAutopilot
+```
+
+After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager.
+
+See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
+
+
+PS C:\autopilot> dir c:\iso
+
+
+ Directory: C:\iso
+
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+-a---- 3/12/2019 2:46 PM 4627343360 win10-eval.iso
+
+PS C:\autopilot> (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
+Ethernet
+PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
+
+Name SwitchType NetAdapterInterfaceDescription
+---- ---------- ------------------------------
+AutopilotExternal External Intel(R) Ethernet Connection (2) I218-LM
+
+PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+
+Name State CPUUsage(%) MemoryAssigned(M) Uptime Status Version
+---- ----- ----------- ----------------- ------ ------ -------
+WindowsAutopilot Off 0 0 00:00:00 Operating normally 8.0
+
+PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+PS C:\autopilot> Start-VM -VMName WindowsAutopilot
+PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
+PS C:\autopilot> dir
+
+ Directory: C:\autopilot
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+d----- 3/12/2019 3:15 PM VMData
+d----- 3/12/2019 3:42 PM VMs
+
+PS C:\autopilot>
+
+
+### Install Windows 10
+
+Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
+
+ 
+ 
+ 
+ 
+ 
+ 
+
+>After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+
+ 
+
+Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
+
+ 
+
+To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
+
+```powershell
+Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
+```
+
+Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
+
+## Capture the hardware ID
+
+>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+
+Follow these steps to run the PS script:
+
+1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
+
+ ```powershell
+ md c:\HWID
+ Set-Location c:\HWID
+ Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+ Install-Script -Name Get-WindowsAutopilotInfo -Force
+ $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+ Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+ ```
+
+When you are prompted to install the NuGet package, choose **Yes**.
+
+See the sample output below.
+
+
+PS C:\> md c:\HWID
+
+ Directory: C:\
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+d----- 3/14/2019 11:33 AM HWID
+
+PS C:\> Set-Location c:\HWID
+PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+NuGet provider is required to continue
+PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+import the NuGet provider now?
+[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
+PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+PS C:\HWID> dir
+
+ Directory: C:\HWID
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+-a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
+
+PS C:\HWID>
+
+
+Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
+
+**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+
+
+
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+
+If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
+
+>[!NOTE]
+>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
+
+## Reset the VM back to Out-Of-Box-Experience (OOBE)
+
+With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
+
+On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
+Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
+
+
+
+Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
+
+
+
+## Verify subscription level
+
+For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
+
+**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
+
+
+
+If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+
+To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
+
+
+
+## Configure company branding
+
+If you already have company branding configured in Azure Active Directory, you can skip this step.
+
+>[!IMPORTANT]
+>Make sure to sign-in with a Global Administrator account.
+
+Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
+
+
+
+When you are finished, click **Save**.
+
+>[!NOTE]
+>Changes to company branding can take up to 30 minutes to apply.
+
+## Configure Microsoft Intune auto-enrollment
+
+If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
+
+Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
+
+For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
+
+
+
+## Register your VM
+
+Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB.
+
+### Autopilot registration using Intune
+
+1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
+
+ 
+
+ >[!NOTE]
+ >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
+
+2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
+
+ 
+
+ You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
+
+3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
+
+4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
+
+ 
+
+### Autopilot registration using MSfB
+
+>[!IMPORTANT]
+>If you've already registered your VM (or device) using Intune, then skip this step.
+
+Optional: see the following video for an overview of the process.
+
+
+
+> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
+
+First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one.
+
+Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
+
+Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
+
+
+
+Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
+
+
+
+## Create and assign a Windows Autopilot deployment profile
+
+>[!IMPORTANT]
+>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
+
+Pick one:
+- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+
+### Create a Windows Autopilot deployment profile using Intune
+
+>[!NOTE]
+>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
+
+
+
+>The example above lists both a physical device and a VM. Your list should only include only one of these.
+
+To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
+
+
+
+Click on **Create profile**.
+
+
+
+On the **Create profile** blade, use the following values:
+
+| Setting | Value |
+|---|---|
+| Name | Autopilot Lab profile |
+| Description | blank |
+| Convert all targeted devices to Autopilot | No |
+| Deployment mode | User-driven |
+| Join to Azure AD as | Azure AD joined |
+
+Click on **Out-of-box experience (OOBE)** and configure the following settings:
+
+| Setting | Value |
+|---|---|
+| EULA | Hide |
+| Privacy Settings | Hide |
+| Hide change account options | Hide |
+| User account type | Standard |
+| Apply device name template | No |
+
+See the following example:
+
+
+
+Click on **OK** and then click on **Create**.
+
+>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
+
+#### Assign the profile
+
+Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
+
+To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
+
+
+
+Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
+
+Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
+
+
+
+Now click **Create** to finish creating the new group.
+
+Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
+
+With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
+
+From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
+
+
+
+Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
+
+
+
+Click **Select** and then click **Save**.
+
+
+
+It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
+
+### Create a Windows Autopilot deployment profile using MSfB
+
+If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
+
+A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
+
+First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
+
+Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
+
+
+
+Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
+
+To CREATE the profile:
+
+Select your device from the **Devices** list:
+
+
+
+On the Autopilot deployment dropdown menu, select **Create new profile**:
+
+
+
+Name the profile, choose your desired settings, and then click **Create**:
+
+
+
+The new profile is added to the Autopilot deployment list.
+
+To ASSIGN the profile:
+
+To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
+
+
+
+Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
+
+
+
+>[!IMPORTANT]
+>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
+
+## See Windows Autopilot in action
+
+If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+
+
+
+Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
+
+>[!TIP]
+>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+
+- Ensure your device has an internet connection.
+- Turn on the device
+- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
+
+
+
+Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
+
+
+
+Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
+
+Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
+
+## Remove devices from Autopilot
+
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+
+### Delete (deregister) Autopilot device
+
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
+
+
+
+Click **X** when challenged to complete the operation:
+
+
+
+This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
+
+
+
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+
+To remove the device from the Autopilot program, select the device and click Delete.
+
+
+
+A warning message appears reminding you to first remove the device from Intune, which we previously did.
+
+
+
+At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
+
+
+
+Once the device no longer appears, you are free to reuse it for other purposes.
+
+If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
+
+
+
+## Appendix A: Verify support for Hyper-V
+
+Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+
+To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
+
+
+C:>systeminfo
+
+...
+Hyper-V Requirements: VM Monitor Mode Extensions: Yes
+ Virtualization Enabled In Firmware: Yes
+ Second Level Address Translation: Yes
+ Data Execution Prevention Available: Yes
+
+
+In this example, the computer supports SLAT and Hyper-V.
+
+>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+
+You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+
+
+C:>coreinfo -v
+
+Coreinfo v3.31 - Dump information on system CPU and memory topology
+Copyright (C) 2008-2014 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+Microcode signature: 0000001B
+HYPERVISOR - Hypervisor is present
+VMX * Supports Intel hardware-assisted virtualization
+EPT * Supports Intel extended page tables (SLAT)
+
+
+Note: A 64-bit operating system is required to run Hyper-V.
+
+## Appendix B: Adding apps to your profile
+
+### Add a Win32 app
+
+#### Prepare the app for Intune
+
+Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+
+1. The source folder for your application
+2. The name of the setup executable file
+3. The output folder for the new file
+
+For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
+
+Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi.
+
+Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
+
+
+
+After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+
+
+Under **App Type**, select **Windows app (Win32)**:
+
+
+
+On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
+
+
+
+On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
+
+
+
+On the **Program Configuration** blade, supply the install and uninstall commands:
+
+Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
+Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
+
+NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
+
+
+
+Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+
+Click **OK** to save your input and activate the **Requirements** blade.
+
+On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
+
+
+
+Next, configure the **Detection rules**. For our purposes, we will select manual format:
+
+
+
+Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
+
+
+
+Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+
+**Return codes**: For our purposes, leave the return codes at their default values:
+
+
+
+Click **OK** to exit.
+
+You may skip configuring the final **Scope (Tags)** blade.
+
+Click the **Add** button to finalize and save your app package.
+
+Once the indicator message says the addition has completed.
+
+
+
+You will be able to find your app in your app list:
+
+
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
+In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+
+
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select *8Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+
+
+
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+
+
+At this point, you have completed steps to add a Win32 app to Intune.
+
+For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management).
+
+### Add Office 365
+
+#### Create app in Intune
+
+Log into the Azure portal and select **Intune**.
+
+Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+
+
+
+Under **App Type**, select **Office 365 Suite > Windows 10**:
+
+
+
+Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
+
+
+
+Click **OK**.
+
+In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
+
+>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+
+
+
+Click **OK**.
+
+In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
+
+
+
+Click **OK** and then click **Add**.
+
+#### Assign the app to your Intune profile
+
+**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
+In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+
+
+
+Select **Add Group** to open the **Add group** pane that is related to the app.
+
+For our purposes, select **Required** from the **Assignment type** dropdown menu:
+
+>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+
+Select **Included Groups** and assign the groups you previously created that will use this app:
+
+
+
+
+
+In the **Select groups** pane, click the **Select** button.
+
+In the **Assign group** pane, select **OK**.
+
+In the **Add group** pane, select **OK**.
+
+In the app **Assignments** pane, select **Save**.
+
+
+
+At this point, you have completed steps to add Office to Intune.
+
+For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365).
+
+If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
+
+
+
+## Glossary
+
+
+
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
index 6c5c118bec..11a393eada 100644
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@@ -1,39 +1,39 @@
----
-title: Windows Autopilot Enrollment Status Page
-ms.reviewer:
-manager: laurawi
-description: Gives an overview of the Enrollment Status Page capabilities, configuration
-keywords: Autopilot Plug and Forget, Windows 10
-ms.prod: w10
-ms.technology: Windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot Enrollment Status Page
-
-**Applies to**
-
-- Windows 10, version 1803 and later
-
-The Enrollment Status Page (ESP) displays the status of the complete device configuration process when an MDM managed user signs into a device for the very first time. The ESP will help users understand the progress of device provisioning and ensures the device has met the organizations desired state before the user can access the desktop for the first time.
-
-The ESP will track the installation of applications, security policies, certificates and network connections. Within Intune, an administrator can deploy ESP profiles to a licensed Intune user and configure specific settings within the ESP profile; a few of these settings are: force the installation of specified applications, allow users to collect troubleshooting logs, specify what a user can do if device setup fails. For more information, see how to set up the [Enrollment Status Page in Intune](https://docs.microsoft.com/intune/windows-enrollment-status).
-
- 
-
-
-## More information
-
-For more information on configuring the Enrollment Status Page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).OEM Original Equipment Manufacturer CSV Comma Separated Values MPC Microsoft Partner Center CSP Cloud Solution Provider MSfB Microsoft Store for Business AAD Azure Active Directory 4K HH 4K Hardware Hash CBR Computer Build Report EC Enterprise Commerce (server) DDS Device Directory Service OOBE Out of the Box Experience VM Virtual Machine
-For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
-For more information about blocking for app installation:
-- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/).
-- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
+---
+title: Windows Autopilot Enrollment Status Page
+ms.reviewer:
+manager: laurawi
+description: Gives an overview of the Enrollment Status Page capabilities, configuration
+keywords: Autopilot Plug and Forget, Windows 10
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot Enrollment Status Page
+
+**Applies to**
+
+- Windows 10, version 1803 and later
+
+The Enrollment Status Page (ESP) displays the status of the complete device configuration process when an MDM managed user signs into a device for the very first time. The ESP will help users understand the progress of device provisioning and ensures the device has met the organizations desired state before the user can access the desktop for the first time.
+
+The ESP will track the installation of applications, security policies, certificates and network connections. Within Intune, an administrator can deploy ESP profiles to a licensed Intune user and configure specific settings within the ESP profile; a few of these settings are: force the installation of specified applications, allow users to collect troubleshooting logs, specify what a user can do if device setup fails. For more information, see how to set up the [Enrollment Status Page in Intune](https://docs.microsoft.com/intune/windows-enrollment-status).
+
+ 
+
+
+## More information
+
+For more information on configuring the Enrollment Status Page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
+For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
+For more information about blocking for app installation:
+- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/).
+- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index f514184445..0e14ae0b89 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -55,7 +55,7 @@ See the following examples.
### Create the JSON file
>[!TIP]
->To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/en-us/download/details.aspx?id=54616).
+>To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616).
1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window
2. Enter the following lines to install the necessary modules
diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md
index 61d676afdc..efeffc2e04 100644
--- a/windows/deployment/windows-autopilot/index.md
+++ b/windows/deployment/windows-autopilot/index.md
@@ -1,76 +1,77 @@
----
-title: Windows Autopilot deployment
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot deployment
-
-**Applies to**
-
-- Windows 10
-
-Windows Autopilot is a zero-touch, self-service Windows deployment platform introduced with Windows 10, version 1703. The Windows Autopilot process runs immediately after powering on a new computer for the first time, enabling employees to configure new devices to be business-ready with just a few clicks.
-
-This guide is intended for use by an IT-specialist, system architect, or business decision maker. The guide provides information about how Windows Autopilot deployment works, including detailed requirements, deployment scenarios, and platform capabilities. The document highlights options that are available to you when planning a modern, cloud-joined Windows 10 deployment strategy. Links are provided to detailed step by step configuration procedures.
-
-## In this guide
-
-
-
-
-### Understanding Windows Autopilot
-
-What's new Windows Autopilot is always being updated with new features! Check this topic to read about the latests capabilities.
-
-
-
-### Deployment scenarios
-
-Overview of Windows Autopilot A review of Windows Autopilot is provided with a video walkthrough. Benefits and general requirements are discussed.
- Requirements Detailed software, network, licensiing, and configuration requirments are provided.
- Scenarios and Capabilities A summary of Windows Autopilot deployment scenarios and capabilities.
- Get started Interested in trying out Autopilot? See this step-by-step walkthrough to test Windows Autopilot on a virtual machine or physical device with a free 30-day trial premium Intune account.
-
-
-
-### Using Windows Autopilot
-
-User-driven mode Requirements and validation steps for deploying a new Azure Active Directory (AAD) joined or hybrid AAD-joined Windows 10 device are provided.
- Self-deploying mode Requirements and validation steps for deploying a new Windows 10 device with little to no user interaction are provided.
- Windows Autopilot Reset Using Windows Autopilot Reset, a device can be restored to its original settings, taking it back to a business-ready state. Both local and remote reset scenarios are discussed.
- Windows Autopilot for white glove deployment Requirements and procedures are described that enable additional policies and apps to be delivered to a Windows Autopilot device.
- Support for existing devices This topic describes how Windows Autopilot can be used to convert Windows 7 or Windows 8.1 domain-joined computers to AAD-joined computers running Windows 10.
-
-
-
-### Support topics
-
-Registering devices The process of registering a device with the Windows Autopilot deployment service is described.
- Configuring device profiles The device profile settings that specifie its behavior when it is deployed are described.
- Enrollment status page Settings that are available on the Enrollment Status Page are described.
- Bitlocker encryption Available options for configuring BitLocker on Windows Autopilot devices are described.
- Troubleshooting Windows Autopilot Diagnotic event information and troubleshooting procedures are provided.
- Known issues A list of current known issues and solutions is provided.
-
-
-
-## Related topics
-
-[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot)
+---
+title: Windows Autopilot deployment
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot deployment
+
+**Applies to**
+
+- Windows 10
+
+Windows Autopilot is a zero-touch, self-service Windows deployment platform introduced with Windows 10, version 1703. The Windows Autopilot process runs immediately after powering on a new computer for the first time, enabling employees to configure new devices to be business-ready with just a few clicks.
+
+This guide is intended for use by an IT-specialist, system architect, or business decision maker. The guide provides information about how Windows Autopilot deployment works, including detailed requirements, deployment scenarios, and platform capabilities. The document highlights options that are available to you when planning a modern, cloud-joined Windows 10 deployment strategy. Links are provided to detailed step by step configuration procedures.
+
+## In this guide
+
+FAQ Frequently asked questions on several topics are provided.
- Support contacts Support information is provided.
- Registration authorization This article discusses how a CSP partner or OEM can obtain customer authorization to register Windows Autopilot devices.
- Motherboard replacement Information about how to deal with Autopilot registration and device repair issues is provided.
-
+
+
+### Understanding Windows Autopilot
+
+What's new Windows Autopilot is always being updated with new features! Check this topic to read about the latests capabilities.
+
+
+
+### Deployment scenarios
+
+Overview of Windows Autopilot A review of Windows Autopilot is provided with a video walkthrough. Benefits and general requirements are discussed.
+ Requirements Detailed software, network, licensiing, and configuration requirments are provided.
+ Scenarios and Capabilities A summary of Windows Autopilot deployment scenarios and capabilities.
+ Get started Interested in trying out Autopilot? See this step-by-step walkthrough to test Windows Autopilot on a virtual machine or physical device with a free 30-day trial premium Intune account.
+
+
+
+### Using Windows Autopilot
+
+User-driven mode Requirements and validation steps for deploying a new Azure Active Directory (AAD) joined or hybrid AAD-joined Windows 10 device are provided.
+ Self-deploying mode Requirements and validation steps for deploying a new Windows 10 device with little to no user interaction are provided.
+ Windows Autopilot Reset Using Windows Autopilot Reset, a device can be restored to its original settings, taking it back to a business-ready state. Both local and remote reset scenarios are discussed.
+ Windows Autopilot for white glove deployment Requirements and procedures are described that enable additional policies and apps to be delivered to a Windows Autopilot device.
+ Support for existing devices This topic describes how Windows Autopilot can be used to convert Windows 7 or Windows 8.1 domain-joined computers to AAD-joined computers running Windows 10.
+
+
+
+### Support topics
+
+Registering devices The process of registering a device with the Windows Autopilot deployment service is described.
+ Configuring device profiles The device profile settings that specifie its behavior when it is deployed are described.
+ Enrollment status page Settings that are available on the Enrollment Status Page are described.
+ BitLocker encryption Available options for configuring BitLocker on Windows Autopilot devices are described.
+ Troubleshooting Windows Autopilot Diagnotic event information and troubleshooting procedures are provided.
+ Known issues A list of current known issues and solutions is provided.
+
+
+
+## Related topics
+
+[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot)
diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md
index d1f538dd46..9ba16cd6f9 100644
--- a/windows/deployment/windows-autopilot/known-issues.md
+++ b/windows/deployment/windows-autopilot/known-issues.md
@@ -1,46 +1,62 @@
----
-title: Windows Autopilot known issues
-ms.reviewer:
-manager: laurawi
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot - known issues
-
-**Applies to**
-
-- Windows 10
-
-FAQ Frequently asked questions on several topics are provided.
+ Support contacts Support information is provided.
+ Registration authorization This article discusses how a CSP partner or OEM can obtain customer authorization to register Windows Autopilot devices.
+ Motherboard replacement Information about how to deal with Autopilot registration and device repair issues is provided.
+
-
-
-## Related topics
-
-[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)Issue More information
- The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267):
-
-- Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success."
-- Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image.
-- BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption.
-- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error.
-- A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue.
- Download and install the KB4505903 update.
See the section: How to get this update for information on specific release channels you can use to obtain the update.
-White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3 This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.
-
To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab
-White glove gives a red screen White glove is not supported on a VM.
- Error importing Windows Autopilot devices from a .csv file Ensure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid.
- Windows Autopilot for existing devices does not follow the Autopilot OOBE experience. Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8.
- Something went wrong is displayed page during OOBE. The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements.
-
-[Troubleshooting Windows Autopilot](troubleshooting.md)
+---
+title: Windows Autopilot known issues
+ms.reviewer:
+manager: laurawi
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot - known issues
+
+**Applies to**
+
+- Windows 10
+
+
+
+
+## Related topics
+
+[Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10)Issue More information
+ The following known issue will be resolved by installing the KB4517211 update, due to be released in late September 2019:
+
+- TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate. (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed).
+ Download and install the KB4517211 update.
This update is currently pending release.
+The following known issues are resolved by installing the August 30, 2019 KB4512941 update (OS Build 18362.329):
+
+- Windows Autopilot for existing devices feature does not properly suppress “Activities” page during OOBE. (Because of this, you’ll see that extra page during OOBE).
+- TPM attestation state is not cleared by sysprep /generalize, causing TPM attestation failure during later OOBE flow. (This isn’t a particularly common issue, but you could run into it while testing if you are running sysprep /generalize and then rebooting or reimaging the device to go back through an Autopilot white glove or self-deploying scenario).
+- TPM attestation may fail if the device has a valid AIK cert but no EK cert. (This is related to the previous item).
+- If TPM attestation fails during the Windows Autopilot white glove process, the landing page appears to be hung. (Basically, the white glove landing page, where you click “Provision” to start the white glove process, isn’t reporting errors properly).
+- TPM attestation fails on newer Infineon TPMs (firmware version > 7.69). (Prior to this fix, only a specific list of firmware versions was accepted).
+- Device naming templates may truncate the computer name at 14 characters instead of 15.
+- Assigned Access policies cause a reboot which can interfere with the configuration of single-app kiosk devices.
+ Download and install the KB4512941 update.
See the section: How to get this update for information on specific release channels you can use to obtain the update.
+The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267):
+
+- Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success."
+- Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image.
+- BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption.
+- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error.
+- A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue.
+ Download and install the KB4505903 update.
See the section: How to get this update for information on specific release channels you can use to obtain the update.
+
+White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3 This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.
+
To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab
+White glove gives a red screen White glove is not supported on a VM.
+ Error importing Windows Autopilot devices from a .csv file Ensure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid.
+ Windows Autopilot for existing devices does not follow the Autopilot OOBE experience. Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8.
+ Something went wrong is displayed page during OOBE. The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements.
+
+[Troubleshooting Windows Autopilot](troubleshooting.md)
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index 34ca5dcbde..939b4ac431 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -1,73 +1,74 @@
----
-title: Windows Autopilot Self-Deploying mode
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Windows Autopilot Self-Deploying mode
-
-**Applies to: Windows 10, version 1903 or later**
-
-Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
-
-Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
-
->[!NOTE]
->Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
-
-Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
-
->[!NOTE]
->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device.
-
-
-
-## Requirements
-
-Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.)
-
->[!IMPORTANT]
->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
-
-In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details.
-
-## Step by step
-
-In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
-
-- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
-- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device.
-- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete.
-
-## Validation
-
-When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
-
-- Once connected to a network, the Autopilot profile will be downloaded.
-- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
- - If multiple languages are preinstalled in Windows 10, the user must pick a language.
- - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
-- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
-- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
-- The device will join Azure Active Directory.
-- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
-- The [enrollment status page](enrollment-status.md) will be displayed.
-- Depending on the device settings deployed, the device will either:
- - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
- - Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
-
->[!NOTE]
->Deploying EAS policies using self-deploying mode for kiosk deployments will cause auto-logon functionality to fail.
-
-In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
+---
+title: Windows Autopilot Self-Deploying mode
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Windows Autopilot Self-Deploying mode
+
+**Applies to: Windows 10, version 1903 or later**
+
+Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
+
+Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
+
+>[!NOTE]
+>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
+
+Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
+
+>[!NOTE]
+>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) and [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md).
+
+
+
+## Requirements
+
+Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.)
+
+>[!IMPORTANT]
+>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported).. Also note that Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
+
+In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details.
+
+## Step by step
+
+In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
+- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device.
+- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete.
+
+## Validation
+
+When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
+
+- Once connected to a network, the Autopilot profile will be downloaded.
+- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
+ - If multiple languages are preinstalled in Windows 10, the user must pick a language.
+ - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
+- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
+- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
+- The device will join Azure Active Directory.
+- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
+- The [enrollment status page](enrollment-status.md) will be displayed.
+- Depending on the device settings deployed, the device will either:
+ - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
+ - Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
+
+>[!NOTE]
+>Deploying EAS policies using self-deploying mode for kiosk deployments will cause auto-logon functionality to fail.
+
+In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md
index 9862d47c2b..b5cc63019b 100644
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ b/windows/deployment/windows-autopilot/white-glove.md
@@ -1,114 +1,116 @@
----
-title: Windows Autopilot for white glove deployment
-description: Windows Autopilot for white glove deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, pre-provisioning
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: low
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Windows Autopilot for white glove deployment
-
-**Applies to: Windows 10, version 1903**
-
-Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready.
-
- 
-
-Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
-
-With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few necessary settings and polices and then they can begin using their device.
-
- 
-
-Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven [Azure AD join](user-driven-aad.md) and [Hybrid Azure AD](user-driven-hybrid.md) join scenarios.
-
-## Prerequisites
-
-In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following:
-
-- Windows 10, version 1903 or later is required.
-- An Intune subscription.
-- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
-- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
-
->[!IMPORTANT]
->Because the OEM or vendor performs the white glove process, this doesn’t require access to an end-user's on-prem domain infrastructure. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user.
-
-## Preparation
-
-Devices slated for WG provisioning are registered for Autopilot via the normal registration process.
-
-To be ready to try out Windows Autopilot for white glove deployment, ensure that you can first successfully use existing Windows Autopilot user-driven scenarios:
-
-- User-driven Azure AD join. Devices can be deployed using Windows Autopilot and joined to an Azure Active Directory tenant.
-- User-driven with Hybrid Azure AD join. Devices can be deployed using Windows Autopilot and joined to an on-premises Active Directory domain, then registered with Azure Active Directory to enable the Hybrid Azure AD join features.
-
-If these scenarios cannot be completed, Windows Autopilot for white glove deployment will also not succeed since it builds on top of these scenarios.
-
-To enable white glove deployment, an additional Autopilot profile setting must be configured by the customer or IT Admin via their Intune account, prior to beginning the white glove process in the provisioning service facility:
-
- 
-
-The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.
-
->[!NOTE]
->Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
-
-## Scenarios
-
-Windows Autopilot for white glove deployment supports two distinct scenarios:
-- User-driven deployments with Azure AD Join. The device will be joined to an Azure AD tenant.
-- User-driven deployments with Hybrid Azure AD Join. The device will be joined to an on-premises Active Directory domain, and separately registered with Azure AD.
-Each of these scenarios consists of two parts, a technician flow and a user flow. At a high level, these parts are the same for Azure AD Join and Hybrid Azure AD join; differences are primarily seen by the end user in the authentication steps.
-
-### Technican flow
-
-After the customer or IT Admin has targeted all the apps and settings they want for their devices through Intune, the white glove technician can begin the white glove process. The technician could be a member of the IT staff, a services partner, or an OEM – each organization can decide who should perform these activities. Regardless of the scenario, the process to be performed by the technician is the same:
-- Boot the device (running Windows 10 Pro, Enterprise, or Education SKUs, version 1903 or later).
-- From the first OOBE screen (which could be a language selection or locale selection screen), do not click **Next**. Instead, press the Windows key five times to view an additional options dialog. From that screen, choose the **Windows Autopilot provisioning** option and then click **Continue**.
-
- 
-
-- On the **Windows Autopilot Configuration** screen, information will be displayed about the device:
- - The Autopilot profile assigned to the device.
- - The organization name for the device.
- - The user assigned to the device (if there is one).
- - A QR code containing a unique identifier for the device, useful to look up the device in Intune to make any configuration changes needed (e.g. assigning a user, adding the device to any additional groups needed for app or policy targeting).
- - **Note**: The QR codes can be scanned using a companion app, which will also configure the device to specify who it belongs to. An [open-source sample of the companion app](https://github.com/Microsoft/WindowsAutopilotCompanion) that integrates with Intune via the Graph API has been published to GitHub by the Autopilot team.
-- Validate the information displayed. If any changes are needed, make these and then click **Refresh** to re-download the updated Autopilot profile details.
-
- 
-
-- Click **Provision** to begin the provisioning process.
-
-If the pre-provisioning process completes successfully:
-- A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
- 
-- Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user.
-
-If the pre-provisioning process fails:
-- A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
-- Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
-
-### User flow
-
-If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps:
-
-- Power on the device.
-- Select the appropriate language, locale, and keyboard layout.
-- Connect to a network (if using Wi-Fi). If using Hybrid Azure AD Join, there must be connectivity to a domain controller; if using Azure AD Join, internet connectivity is required.
-- On the branded sign-on screen, enter the user’s Azure Active Directory credentials.
-- If using Hybrid Azure AD Join, the device will reboot; after the reboot, enter the user’s Active Directory credentials.
-- Additional policies and apps will be delivered to the device, as tracked by the Enrollment Status Page (ESP). Once complete, the user will be able to access the desktop.
-
-## Related topics
-
-[White glove video](https://youtu.be/nE5XSOBV0rI)
+---
+title: Windows Autopilot for white glove deployment
+description: Windows Autopilot for white glove deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, pre-provisioning
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Windows Autopilot for white glove deployment
+
+**Applies to: Windows 10, version 1903**
+
+Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready.
+
+ 
+
+Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
+
+With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few necessary settings and polices and then they can begin using their device.
+
+ 
+
+Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven [Azure AD join](user-driven-aad.md) and [Hybrid Azure AD](user-driven-hybrid.md) join scenarios.
+
+## Prerequisites
+
+In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following:
+
+- Windows 10, version 1903 or later is required.
+- An Intune subscription.
+- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
+- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
+
+>[!IMPORTANT]
+>Because the OEM or vendor performs the white glove process, this doesn’t require access to an end-user's on-prem domain infrastructure. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user.
+
+## Preparation
+
+Devices slated for white glove provisioning are registered for Autopilot via the normal registration process.
+
+To be ready to try out Windows Autopilot for white glove deployment, ensure that you can first successfully use existing Windows Autopilot user-driven scenarios:
+
+- User-driven Azure AD join. Devices can be deployed using Windows Autopilot and joined to an Azure Active Directory tenant.
+- User-driven with Hybrid Azure AD join. Devices can be deployed using Windows Autopilot and joined to an on-premises Active Directory domain, then registered with Azure Active Directory to enable the Hybrid Azure AD join features.
+
+If these scenarios cannot be completed, Windows Autopilot for white glove deployment will also not succeed since it builds on top of these scenarios.
+
+To enable white glove deployment, an additional Autopilot profile setting must be configured by the customer or IT Admin via their Intune account, prior to beginning the white glove process in the provisioning service facility:
+
+ 
+
+The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.
+
+>[!NOTE]
+>Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
+
+## Scenarios
+
+Windows Autopilot for white glove deployment supports two distinct scenarios:
+- User-driven deployments with Azure AD Join. The device will be joined to an Azure AD tenant.
+- User-driven deployments with Hybrid Azure AD Join. The device will be joined to an on-premises Active Directory domain, and separately registered with Azure AD.
+Each of these scenarios consists of two parts, a technician flow and a user flow. At a high level, these parts are the same for Azure AD Join and Hybrid Azure AD join; differences are primarily seen by the end user in the authentication steps.
+
+### Technician flow
+
+After the customer or IT Admin has targeted all the apps and settings they want for their devices through Intune, the white glove technician can begin the white glove process. The technician could be a member of the IT staff, a services partner, or an OEM – each organization can decide who should perform these activities. Regardless of the scenario, the process to be performed by the technician is the same:
+- Boot the device (running Windows 10 Pro, Enterprise, or Education SKUs, version 1903 or later).
+- From the first OOBE screen (which could be a language selection or locale selection screen), do not click **Next**. Instead, press the Windows key five times to view an additional options dialog. From that screen, choose the **Windows Autopilot provisioning** option and then click **Continue**.
+
+ 
+
+- On the **Windows Autopilot Configuration** screen, information will be displayed about the device:
+ - The Autopilot profile assigned to the device.
+ - The organization name for the device.
+ - The user assigned to the device (if there is one).
+ - A QR code containing a unique identifier for the device, useful to look up the device in Intune to make any configuration changes needed (e.g. assigning a user, adding the device to any additional groups needed for app or policy targeting).
+ - **Note**: The QR codes can be scanned using a companion app, which will also configure the device to specify who it belongs to. An [open-source sample of the companion app](https://github.com/Microsoft/WindowsAutopilotCompanion) that integrates with Intune via the Graph API has been published to GitHub by the Autopilot team.
+- Validate the information displayed. If any changes are needed, make these and then click **Refresh** to re-download the updated Autopilot profile details.
+
+ 
+
+- Click **Provision** to begin the provisioning process.
+
+If the pre-provisioning process completes successfully:
+- A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
+ 
+- Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user.
+
+If the pre-provisioning process fails:
+- A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
+- Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
+
+### User flow
+
+If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps:
+
+- Power on the device.
+- Select the appropriate language, locale, and keyboard layout.
+- Connect to a network (if using Wi-Fi). If using Hybrid Azure AD Join, there must be connectivity to a domain controller; if using Azure AD Join, internet connectivity is required.
+- On the branded sign-on screen, enter the user’s Azure Active Directory credentials.
+- If using Hybrid Azure AD Join, the device will reboot; after the reboot, enter the user’s Active Directory credentials.
+- Additional policies and apps will be delivered to the device, as tracked by the Enrollment Status Page (ESP). Once complete, the user will be able to access the desktop.
+
+## Related topics
+
+[White glove video](https://youtu.be/nE5XSOBV0rI)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index c216835569..1baaf03dea 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -1,121 +1,123 @@
----
-title: Windows Autopilot requirements
-ms.reviewer:
-manager: laurawi
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot requirements
-
-**Applies to: Windows 10**
-
-Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
-
-**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
-
-## Software requirements
-
-- Windows 10 version 1703 (semi-annual channel) or higher is required.
-- The following editions are supported:
- - Windows 10 Pro
- - Windows 10 Pro Education
- - Windows 10 Pro for Workstations
- - Windows 10 Enterprise
- - Windows 10 Education
- - Windows 10 Enterprise 2019 LTSC
-
-## Networking requirements
-
-Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
-
-- Ensure DNS name resolution for internet DNS names
-- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
-
-In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details:
-
-
-
-## Licensing requirements
-
-Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
-
-To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
- - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
- - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
- - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
- - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
- - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
- - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
- - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service).
-
-Additionally, the following are also recommended (but not required):
-- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
-- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
-
-## Configuration requirements
-
-Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
-
-- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
-- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
-- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
-
-Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
-
-- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
-- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
-
-See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
-
-For a walkthrough for some of these and related steps, see this video:
-Service Information
- Windows Autopilot Deployment Service and Windows Activation After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
-
-For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server.
-Azure Active Directory User credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information.
- Intune Once authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth.
- Windows Update During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
-
-If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available.
-
-Delivery Optimization When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
-
-If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
-
-Network Time Protocol (NTP) Sync When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.
- Domain Name Services (DNS) To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.
- Diagnostics data Starting in Windows 10, 1903, diagnostic data collection will be enabled by default. To disable Windows Analytics and related diagnostics capabilities, see Manage enterprise diagnostic data level.
-
-If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work.
-Network Connection Status Indicator (NCSI) Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI).
-
-www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP.
- Windows Notification Services (WNS) This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
-
-If the WNS services are not available, the Autopilot process will still continue without notifications.
-Microsoft Store, Microsoft Store for Business Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
-
-If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps.
-
-Office 365 As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
- Certificate revocation lists (CRLs) Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services. A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains.
- Hybrid AAD join Hybrid AAD can be join, the machine should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode
-
-
-
-There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
-
-## Related topics
-
-[Configure Autopilot deployment](configure-autopilot.md)
+---
+title: Windows Autopilot requirements
+ms.reviewer:
+manager: laurawi
+description: Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot requirements
+
+**Applies to: Windows 10**
+
+Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
+
+**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
+
+## Software requirements
+
+- Windows 10 version 1703 (semi-annual channel) or higher is required.
+- The following editions are supported:
+ - Windows 10 Pro
+ - Windows 10 Pro Education
+ - Windows 10 Pro for Workstations
+ - Windows 10 Enterprise
+ - Windows 10 Education
+ - Windows 10 Enterprise 2019 LTSC
+
+## Networking requirements
+
+Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
+
+- Ensure DNS name resolution for internet DNS names
+- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
+
+In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details:
+
+
+
+## Licensing requirements
+
+Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
+
+To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
+- [Microsoft 365 Business subscriptions](https://www.microsoft.com/microsoft-365/business)
+- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline)
+- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx)
+- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
+- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
+- [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
+- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/cloud-platform/microsoft-intune) (or an alternative MDM service).
+
+Additionally, the following are also recommended (but not required):
+- [Office 365 ProPlus](https://www.microsoft.com/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
+- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
+
+## Configuration requirements
+
+Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
+
+- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
+- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
+- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
+
+Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
+
+- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
+- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
+
+See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
+
+For a walkthrough for some of these and related steps, see this video:
+Service Information
+ Windows Autopilot Deployment Service After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 version 1903 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
+
+Windows Activation Windows Autopilot also requires Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about the URLs that need to be accessible for the activation services.
+
+Azure Active Directory User credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information.
+ Intune Once authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth.
+ Windows Update During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
+
+If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available.
+
+Delivery Optimization When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
+
+If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
+
+Network Time Protocol (NTP) Sync When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.
+ Domain Name Services (DNS) To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.
+ Diagnostics data Starting in Windows 10, 1903, diagnostic data collection will be enabled by default. To disable Windows Analytics and related diagnostics capabilities, see Manage enterprise diagnostic data level.
+
+If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work.
+Network Connection Status Indicator (NCSI) Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI).
+
+www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP.
+ Windows Notification Services (WNS) This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
+
+If the WNS services are not available, the Autopilot process will still continue without notifications.
+Microsoft Store, Microsoft Store for Business Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
+
+If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps.
+
+Office 365 As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
+ Certificate revocation lists (CRLs) Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services. A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains.
+ Hybrid AAD join The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode
+
+
+
+There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
+
+## Related topics
+
+[Configure Autopilot deployment](configure-autopilot.md)
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index f94b65ffef..742ae20f20 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -1,350 +1,352 @@
----
-title: Windows 10 deployment tools (Windows 10)
-description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
-ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 deployment scenarios and tools
-
-
-To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
-
-Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
-
-In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
-
-## Windows Assessment and Deployment Kit
-
-
-Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803 ) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
-
-
-
-Figure 1. The Windows 10 ADK feature selection page.
-
-### Deployment Image Servicing and Management (DISM)
-
-DISM is one of the deployment tools included in the Windows ADK and is used for capturing, servicing, and deploying boot images and operating system images.
-
-DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
-
-``` syntax
-Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
-```
-
-In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
-
-``` syntax
-Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
--Source D:\Sources\SxS -LimitAccess
-```
-
-
-
-Figure 2. Using DISM functions in PowerShell.
-
-For more information on DISM, see [DISM technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619161).
-
-### User State Migration Tool (USMT)
-
-USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and System Center 2012 R2 Configuration Manager use USMT as part of the operating system deployment process.
-
-**Note**
-Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you will learn below, using USMT is not difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it is easy to use. With MDT, you do nothing at all and USMT just works.
-
-
-
-USMT includes several command-line tools, the most important of which are ScanState and LoadState:
-
-- **ScanState.exe.** This performs the user-state backup.
-
-- **LoadState.exe.** This performs the user-state restore.
-
-- **UsmtUtils.exe.** This supplements the functionality in ScanState.exe and LoadState.exe.
-
-In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
-
-- **Migration templates.** The default templates in USMT.
-
-- **Custom templates.** Custom templates that you create.
-
-- **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
-
-
-
-Figure 3. A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
-
-USMT supports capturing data and settings from Windows Vista and later, and restoring the data and settings to Windows 7 and later (including Windows 10 in both cases). It also supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around. For example, you can use USMT to migrate from Windows 7 x86 to Windows 10 x64.
-
-By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
-
-- Folders from each profile, including those from user profiles as well as shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
-
-- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
-
- **Note**
- The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default.
-
-
-
-- Operating system component settings
-
-- Application settings
-
-These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more details on what USMT migrates, see [What does USMT migrate?](https://go.microsoft.com/fwlink/p/?LinkId=619227) For more information on the USMT overall, see the [USMT technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619228).
-
-### Windows Imaging and Configuration Designer
-
-Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image.
-
-
-
-Figure 4. Windows Imaging and Configuration Designer.
-
-For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkID=525483).
-
-### Windows System Image Manager (Windows SIM)
-
-Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
-
-
-
-Figure 5. Windows answer file opened in Windows SIM.
-
-For more information, see [Windows System Image Manager Technical Reference]( https://go.microsoft.com/fwlink/p/?LinkId=619906).
-
-### Volume Activation Management Tool (VAMT)
-
-If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
-
-
-
-Figure 6. The updated Volume Activation Management Tool.
-
-VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
-
-``` syntax
-Get-VamtProduct
-```
-
-For more information on the VAMT, see [VAMT technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619230).
-
-### Windows Preinstallation Environment (Windows PE)
-
-Windows PE is a “Lite” version of Windows 10 and was created to act as a deployment platform. Windows PE replaces the DOS or Linux boot disks that ruled the deployment solutions of the last decade.
-
-The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
-
-
-
-Figure 7. A machine booted with the Windows ADK default Windows PE boot image.
-
-For more details on Windows PE, see [Windows PE (WinPE)](https://go.microsoft.com/fwlink/p/?LinkId=619233).
-
-## Windows Recovery Environment
-
-
-Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE.
-
-
-
-Figure 8. A Windows 10 client booted into Windows RE, showing Advanced options.
-
-For more information on Windows RE, see [Windows Recovery Environment](https://go.microsoft.com/fwlink/p/?LinkId=619236).
-
-## Windows Deployment Services
-
-
-Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
-
-
-
-Figure 9. Windows Deployment Services using multicast to deploy three machines.
-
-In Windows Server 2012 R2, [Windows Deployment Services](https://go.microsoft.com/fwlink/p/?LinkId=619245) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you will use them instead. In WDS, it is possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management.
-
-### Trivial File Transfer Protocol (TFTP) configuration
-
-In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—was not user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting.
-
-Also, there are a few new features related to TFTP performance:
-
-- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
-
-- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
-
-- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
-
-
-
-Figure 10. TFTP changes are now easy to perform.
-
-## Microsoft Deployment Toolkit
-
-
-MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
-
-MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
-
-**Note**
-Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
-
-
-
-
-
-Figure 11. The Deployment Workbench in, showing a task sequence.
-
-For more information on MDT, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
-
-## Microsoft Security Compliance Manager 2013
-
-
-[Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
-
-
-
-Figure 12. The SCM console showing a baseline configuration for a fictional client's computer security compliance.
-
-## Microsoft Desktop Optimization Pack
-
-
-MDOP is a suite of technologies available to Software Assurance customers through an additional subscription.
-
-The following components are included in the MDOP suite:
-
-- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
-
-- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
-
-- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
-
-- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
-
-- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, as well as monitor compliance with these policies.
-
-For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](https://go.microsoft.com/fwlink/p/?LinkId=619247).
-
-## Internet Explorer Administration Kit 11
-
-
-There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
-
-
-
-Figure 13. The User Experience selection screen in IEAK 11.
-
-To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=619248) page.
-
-## Windows Server Update Services
-
-
-WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
-
-
-
-Figure 14. The Windows Server Update Services console.
-
-For more information on WSUS, see the [Windows Server Update Services Overview](https://go.microsoft.com/fwlink/p/?LinkId=619249).
-
-## Unified Extensible Firmware Interface
-
-
-For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
-
-### Introduction to UEFI
-
-BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
-
-- 16-bit code
-
-- 1 MB address space
-
-- Poor performance on ROM initialization
-
-- MBR maximum bootable disk size of 2.2 TB
-
-As the replacement to BIOS, UEFI has many features that Windows can and will use.
-
-With UEFI, you can benefit from:
-
-- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
-
-- **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
-
-- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
-
-- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
-
-- **CPU-independent architecture.** Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
-
-- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
-
-- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
-
-- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.
-
-### Versions
-
-UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
-
-### Hardware support for UEFI
-
-In regard to UEFI, hardware is divided into four device classes:
-
-- **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device.
-
-- **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
-
-- **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
-
-- **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.
-
-### Windows support for UEFI
-
-Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.
-
-With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.
-
-### How UEFI is changing operating system deployment
-
-There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
-
-- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
-
-- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
-
-- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
-
-- UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).
-
-For more information on UEFI, see the [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619251) overview and related resources.
-
-## Related topics
-
-
-
-
-[Deploy Windows To Go](deploy-windows-to-go.md)
-
-[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-
-[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows 10 deployment tools (Windows 10)
+description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
+ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 deployment scenarios and tools
+
+
+To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
+
+Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
+
+In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
+
+## Windows Assessment and Deployment Kit
+
+
+Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803 ) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
+
+
+
+Figure 1. The Windows 10 ADK feature selection page.
+
+### Deployment Image Servicing and Management (DISM)
+
+DISM is one of the deployment tools included in the Windows ADK and is used for capturing, servicing, and deploying boot images and operating system images.
+
+DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
+
+``` syntax
+Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
+```
+
+In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
+
+``` syntax
+Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
+-Source D:\Sources\SxS -LimitAccess
+```
+
+
+
+Figure 2. Using DISM functions in PowerShell.
+
+For more information on DISM, see [DISM technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619161).
+
+### User State Migration Tool (USMT)
+
+USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and System Center 2012 R2 Configuration Manager use USMT as part of the operating system deployment process.
+
+**Note**
+Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you will learn below, using USMT is not difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it is easy to use. With MDT, you do nothing at all and USMT just works.
+
+
+
+USMT includes several command-line tools, the most important of which are ScanState and LoadState:
+
+- **ScanState.exe.** This performs the user-state backup.
+
+- **LoadState.exe.** This performs the user-state restore.
+
+- **UsmtUtils.exe.** This supplements the functionality in ScanState.exe and LoadState.exe.
+
+In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
+
+- **Migration templates.** The default templates in USMT.
+
+- **Custom templates.** Custom templates that you create.
+
+- **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
+
+
+
+Figure 3. A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
+
+USMT supports capturing data and settings from Windows Vista and later, and restoring the data and settings to Windows 7 and later (including Windows 10 in both cases). It also supports migrating from a 32-bit operating system to a 64-bit operating system, but not the other way around. For example, you can use USMT to migrate from Windows 7 x86 to Windows 10 x64.
+
+By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
+
+- Folders from each profile, including those from user profiles as well as shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
+
+- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
+
+ **Note**
+ The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default.
+
+
+
+- Operating system component settings
+
+- Application settings
+
+These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more details on what USMT migrates, see [What does USMT migrate?](https://go.microsoft.com/fwlink/p/?LinkId=619227) For more information on the USMT overall, see the [USMT technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619228).
+
+### Windows Imaging and Configuration Designer
+
+Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image.
+
+
+
+Figure 4. Windows Imaging and Configuration Designer.
+
+For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkID=525483).
+
+### Windows System Image Manager (Windows SIM)
+
+Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
+
+
+
+Figure 5. Windows answer file opened in Windows SIM.
+
+For more information, see [Windows System Image Manager Technical Reference]( https://go.microsoft.com/fwlink/p/?LinkId=619906).
+
+### Volume Activation Management Tool (VAMT)
+
+If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
+
+
+
+Figure 6. The updated Volume Activation Management Tool.
+
+VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
+
+``` syntax
+Get-VamtProduct
+```
+
+For more information on the VAMT, see [VAMT technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619230).
+
+### Windows Preinstallation Environment (Windows PE)
+
+Windows PE is a “Lite” version of Windows 10 and was created to act as a deployment platform. Windows PE replaces the DOS or Linux boot disks that ruled the deployment solutions of the last decade.
+
+The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
+
+
+
+Figure 7. A machine booted with the Windows ADK default Windows PE boot image.
+
+For more details on Windows PE, see [Windows PE (WinPE)](https://go.microsoft.com/fwlink/p/?LinkId=619233).
+
+## Windows Recovery Environment
+
+
+Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE.
+
+
+
+Figure 8. A Windows 10 client booted into Windows RE, showing Advanced options.
+
+For more information on Windows RE, see [Windows Recovery Environment](https://go.microsoft.com/fwlink/p/?LinkId=619236).
+
+## Windows Deployment Services
+
+
+Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
+
+
+
+Figure 9. Windows Deployment Services using multicast to deploy three machines.
+
+In Windows Server 2012 R2, [Windows Deployment Services](https://go.microsoft.com/fwlink/p/?LinkId=619245) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you will use them instead. In WDS, it is possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management.
+
+### Trivial File Transfer Protocol (TFTP) configuration
+
+In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—was not user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting.
+
+Also, there are a few new features related to TFTP performance:
+
+- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
+
+- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
+
+- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
+
+
+
+Figure 10. TFTP changes are now easy to perform.
+
+## Microsoft Deployment Toolkit
+
+
+MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
+
+MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager.
+
+**Note**
+Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
+
+
+
+
+
+Figure 11. The Deployment Workbench in, showing a task sequence.
+
+For more information on MDT, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center.
+
+## Microsoft Security Compliance Manager 2013
+
+
+[Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
+
+
+
+Figure 12. The SCM console showing a baseline configuration for a fictional client's computer security compliance.
+
+## Microsoft Desktop Optimization Pack
+
+
+MDOP is a suite of technologies available to Software Assurance customers through an additional subscription.
+
+The following components are included in the MDOP suite:
+
+- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
+
+- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
+
+- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
+
+- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
+
+- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, as well as monitor compliance with these policies.
+
+For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](https://go.microsoft.com/fwlink/p/?LinkId=619247).
+
+## Internet Explorer Administration Kit 11
+
+
+There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
+
+
+
+Figure 13. The User Experience selection screen in IEAK 11.
+
+To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=619248) page.
+
+## Windows Server Update Services
+
+
+WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
+
+
+
+Figure 14. The Windows Server Update Services console.
+
+For more information on WSUS, see the [Windows Server Update Services Overview](https://go.microsoft.com/fwlink/p/?LinkId=619249).
+
+## Unified Extensible Firmware Interface
+
+
+For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
+
+### Introduction to UEFI
+
+BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
+
+- 16-bit code
+
+- 1 MB address space
+
+- Poor performance on ROM initialization
+
+- MBR maximum bootable disk size of 2.2 TB
+
+As the replacement to BIOS, UEFI has many features that Windows can and will use.
+
+With UEFI, you can benefit from:
+
+- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
+
+- **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
+
+- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
+
+- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
+
+- **CPU-independent architecture.** Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
+
+- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
+
+- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
+
+- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.
+
+### Versions
+
+UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
+
+### Hardware support for UEFI
+
+In regard to UEFI, hardware is divided into four device classes:
+
+- **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device.
+
+- **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
+
+- **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
+
+- **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.
+
+### Windows support for UEFI
+
+Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.
+
+With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.
+
+### How UEFI is changing operating system deployment
+
+There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
+
+- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
+
+- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
+
+- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
+
+- UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).
+
+For more information on UEFI, see the [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619251) overview and related resources.
+
+## Related topics
+
+
+
+
+[Deploy Windows To Go](deploy-windows-to-go.md)
+
+[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
+
+[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/docfx.json b/windows/docfx.json
index 0e7c823b17..21cba6820f 100644
--- a/windows/docfx.json
+++ b/windows/docfx.json
@@ -15,6 +15,7 @@
],
"globalMetadata": {
"ROBOTS": "INDEX, FOLLOW",
+ "audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 78a9eb10fb..b850fee41f 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "audience": "ITPro",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/windows/hub/index.md b/windows/hub/index.md
index c9bfdfd89d..d9e3556000 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -7,9 +7,8 @@ ms.localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.date: 07/16/2019
ms.author: dansimp
-ms.date: 09/03/2018
+author: dansimp
ms.reviewer: dansimp
manager: dansimp
---
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 54f9081648..f7e901603e 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
-ms.author: brianlic
+ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index acef50c475..aed5ac00b0 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -36,12 +36,12 @@ At Microsoft, we use Windows diagnostic data to inform our decisions and focus o
To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
-- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
-- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
-- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
-- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
-- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
-- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
+- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
+- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
+- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
+- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
+- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
+- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
@@ -56,16 +56,16 @@ The release cadence of Windows may be fast, so feedback is critical to its succe
### What is Windows diagnostic data?
Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
-- Keep Windows up to date
-- Keep Windows secure, reliable, and performant
-- Improve Windows – through the aggregate analysis of the use of Windows
-- Personalize Windows engagement surfaces
+- Keep Windows up to date
+- Keep Windows secure, reliable, and performant
+- Improve Windows – through the aggregate analysis of the use of Windows
+- Personalize Windows engagement surfaces
Here are some specific examples of Windows diagnostic data:
-- Type of hardware being used
-- Applications installed and usage details
-- Reliability information on device drivers
+- Type of hardware being used
+- Applications installed and usage details
+- Reliability information on device drivers
### What is NOT diagnostic data?
@@ -96,9 +96,9 @@ There was a version of a video driver that was crashing on some devices running
Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
-- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
-- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
-- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
+- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
+- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
+- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 8577fea884..7ebad52ee8 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -42,10 +42,10 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
### Download the Diagnostic Data Viewer
-Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
+Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
- >[!Important]
- >It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264).
+ >[!Important]
+ >It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830).
### Start the Diagnostic Data Viewer
You can start this app from the **Settings** panel.
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 5a6da07e0b..55e655b1dc 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -34,6 +34,7 @@
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
+ "audience": "ITPro",
"ms.topic": "article",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md
index 088f0adccd..f142ad0677 100644
--- a/windows/privacy/gdpr-it-guidance.md
+++ b/windows/privacy/gdpr-it-guidance.md
@@ -74,7 +74,7 @@ For example, when an organization is using Microsoft Windows Defender Advanced T
#### Processor scenario
-In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx).
+In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products.aspx).
## GDPR relationship between a Windows 10 user and Microsoft
@@ -120,11 +120,11 @@ Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced",
Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp).
>[!NOTE]
->Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)).
+>Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)).
#### Windows Analytics
-[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service.
+[Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service.
Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10.
@@ -137,7 +137,7 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo
#### Windows Defender ATP
-[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+[Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/).
As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP.
@@ -159,7 +159,7 @@ The following table lists in what GDPR mode – controller or processor – Wind
*/*Depending on which application/feature this is referring to.*
-## Windows diagnostic data and Windows 10
+## Windows diagnostic data and Windows 10
### Recommended Windows 10 settings
@@ -285,7 +285,7 @@ To make it easier to deploy settings that restrict connections from Windows 10 a
### Microsoft Trust Center and Service Trust Portal
-Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
+Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
### Additional resources
diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md
index 4797029729..259561932e 100644
--- a/windows/privacy/gdpr-win10-whitepaper.md
+++ b/windows/privacy/gdpr-win10-whitepaper.md
@@ -30,7 +30,7 @@ Microsoft and our customers are now on a journey to achieve the privacy goals of
We have outlined our commitment to the GDPR and how we are supporting our customers within the [Get GDPR compliant with the Microsoft Cloud](https://blogs.microsoft.com/on-the-issues/2017/02/15/get-gdpr-compliant-with-the-microsoft-cloud/#hv52B68OZTwhUj2c.99) blog post by our Chief Privacy Officer [Brendon Lynch](https://blogs.microsoft.com/on-the-issues/author/brendonlynch/) and the [Earning your trust with contractual commitments to the General Data Protection Regulation](https://blogs.microsoft.com/on-the-issues/2017/04/17/earning-trust-contractual-commitments-general-data-protection-regulation/#6QbqoGWXCLavGM63.99)” blog post by [Rich Sauer](https://blogs.microsoft.com/on-the-issues/author/rsauer/) - Microsoft Corporate Vice President & Deputy General Counsel.
-Although your journey to GDPR-compliance may seem challenging, we're here to help you. For specific information about the GDPR, our commitments and how to begin your journey, please visit the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr).
+Although your journey to GDPR-compliance may seem challenging, we're here to help you. For specific information about the GDPR, our commitments and how to begin your journey, please visit the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/trustcenter/privacy/gdpr).
## GDPR and its implications
The GDPR is a complex regulation that may require significant changes in how you gather, use and manage personal data. Microsoft has a long history of helping our customers comply with complex regulations, and when it comes to preparing for the GDPR, we are your partner on this journey.
@@ -82,7 +82,7 @@ Given how much is involved to become GDPR-compliant, we strongly recommend that
-For each of the steps, we've outlined example tools, resources, and features in various Microsoft solutions, which can be used to help you address the requirements of that step. While this article isn't a comprehensive “how to,” we've included links for you to find out more details, and more information is available in the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr).
+For each of the steps, we've outlined example tools, resources, and features in various Microsoft solutions, which can be used to help you address the requirements of that step. While this article isn't a comprehensive “how to,” we've included links for you to find out more details, and more information is available in the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/trustcenter/privacy/gdpr).
## Windows 10 security and privacy
As you work to comply with the GDPR, understanding the role of your desktop and laptop client machines in creating, accessing, processing, storing and managing data that may qualify as personal and potentially sensitive data under the GDPR is important. Windows 10 provides capabilities that will help you comply with the GDPR requirements to implement appropriate technical and organizational security measures to protect personal data.
@@ -105,11 +105,11 @@ A key provision within the GDPR is data protection by design and by default, and
The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
-- Generate, store, and limit the use of cryptographic keys.
+- Generate, store, and limit the use of cryptographic keys.
-- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
+- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
-- Help to ensure platform integrity by taking and storing security measurements.
+- Help to ensure platform integrity by taking and storing security measurements.
Additional advanced device protection relevant to your operating without data breaches include Windows Trusted Boot to help maintain the integrity of the system by ensuring malware is unable to start before system defenses.
@@ -252,7 +252,7 @@ There are numerous ways one can use the Windows Hello Companion Device Framework
- Wear a fitness band that has already authenticated the wearer. Upon approaching PC, and by performing a special gesture (like clapping), the PC unlocks.
#### Protection against attacks by isolating user credentials
-As noted in the [Windows 10 Credential Theft Mitigation Guide](https://www.microsoft.com/en-us/download/confirmation.aspx?id=54095), “_the tools and techniques criminals use to carry out credential theft and reuse attacks improve, malicious attackers are finding it easier to achieve their goals. Credential theft often relies on operational practices or user credential exposure, so effective mitigations require a holistic approach that addresses people, processes, and technology. In addition, these attacks rely on the attacker stealing credentials after compromising a system to expand or persist access, so organizations must contain breaches rapidly by implementing strategies that prevent attackers from moving freely and undetected in a compromised network._”
+As noted in the [Windows 10 Credential Theft Mitigation Guide](https://www.microsoft.com/download/confirmation.aspx?id=54095), “_the tools and techniques criminals use to carry out credential theft and reuse attacks improve, malicious attackers are finding it easier to achieve their goals. Credential theft often relies on operational practices or user credential exposure, so effective mitigations require a holistic approach that addresses people, processes, and technology. In addition, these attacks rely on the attacker stealing credentials after compromising a system to expand or persist access, so organizations must contain breaches rapidly by implementing strategies that prevent attackers from moving freely and undetected in a compromised network._”
An important design consideration for Windows 10 was mitigating credential theft — in particular, derived credentials. Windows Defender Credential Guard provides significantly improved security against derived credential theft and reuse by implementing a significant architectural change in Windows designed to help eliminate hardware-based isolation attacks rather than simply trying to defend against them.
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index f5a74dfff8..8211fc3089 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -6,35 +6,39 @@ keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: high
+audience: ITPro
author: medgarmedgar
ms.author: v-medgar
-ms.date: 7/9/2019
+manager: sanashar
+ms.date: 9/10/2019
---
-# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
+# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server
**Applies to**
- Windows 10 Enterprise 1903 version and newer
-You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+>[!IMPORTANT]
+>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
+> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
+>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
+>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
-Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic.
+For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
-For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
+For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
-For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
-The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist).
-
-
-### Settings for Windows 10 Enterprise edition 1903 and newer
+## Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
@@ -98,7 +102,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
1. **OneDrive**
1. MDM Policy: [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
- 1. MDM Policy: Prevent Network Traffic before User SignIn. **PreventNetworkTrafficPreUserSignIn**. The OMA-URI value is: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn, **String, \
**Disable** this policy to block access to location information for Cortana. |
| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
**Enable** this policy to remove the option to search the Internet from Cortana. |
| Don't search the web or display web results in Search| Choose whether to search the web from Cortana.
**Enable** this policy to stop web queries and results from showing in Search. |
-| Set what information is shared in Search | Control what information is shared with Bing in Search.
If you **enable** this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. |
You can also apply the Group Policies using the following registry keys:
@@ -286,7 +280,7 @@ You can also apply the Group Policies using the following registry keys:
| Allow search and Cortana to use location | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: AllowSearchToUseLocation
Value: 0 |
| Do not allow web search | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: DisableWebSearch
Value: 1 |
| Don't search the web or display web results in Search| HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchUseWeb
Value: 0 |
-| Set what information is shared in Search | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchPrivacy
Value: 3 |
+
>[!IMPORTANT]
> Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
@@ -390,7 +384,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
> [!NOTE]
-> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
+> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
To turn off Insider Preview builds for a released version of Windows 10:
@@ -1049,11 +1043,11 @@ To turn off dictation of your voice, speaking to Cortana and other apps, and to
If you're running at Windows 10, version 1703 up to and including Windows 10, version 1803, you can turn off updates to the speech recognition and speech synthesis models:
- - **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
-or-
- - Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
+- Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
@@ -1260,7 +1254,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
### 18.16 Feedback & diagnostics
-In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
To change how frequently **Windows should ask for my feedback**:
@@ -1415,11 +1409,11 @@ In the **Inking & Typing** area you can configure the functionality as such:
To turn off Inking & Typing data collection (note: there is no Group Policy for this setting):
- - In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing** and turn **Improve inking & typing** to **Off**
+- In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing** and turn **Improve inking & typing** to **Off**
-or-
- - Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)**
+- Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)**
### 18.22 Activity History
@@ -1484,29 +1478,29 @@ To turn this Off in the UI:
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
- **For Windows 10:**
+**For Windows 10:**
- - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
- - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**.
+- Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**.
**For Windows Server 2019 or later:**
- - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
- - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
**For Windows Server 2016:**
- - Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
- >[!NOTE]
- >Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
- >The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+>[!NOTE]
+>Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
+>The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
### 20. Storage health
@@ -1584,7 +1578,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
>[!IMPORTANT]
>**Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
>1. Ensure Windows and Windows Defender are fully up to date.
->2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to >the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make >the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link >and then scroll down to the Tamper Protection toggle to set it to **Off**.
+>2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
@@ -1623,7 +1617,7 @@ You can stop downloading **Definition Updates**:
- **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates**
-You can turn off **Malicious Software Reporting Tool diagnostic data**:
+You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**:
- Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**.
@@ -1730,7 +1724,7 @@ If you're running Windows 10, version 1607 or later, you need to:
> The Group Policy for the **LockScreenOverlaysDisabled** regkey is **Force a specific default lock screen and logon image** that is under **Control Panel** **Personalization**.
--AND-
+ \-AND-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips** to **Enabled**
@@ -1740,7 +1734,7 @@ If you're running Windows 10, version 1607 or later, you need to:
- Create a new REG_DWORD registry setting named **DisableSoftLanding** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
--AND-
+ \-AND-
- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences** to **Enabled**
@@ -1881,7 +1875,16 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0.
+
+### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
+
+|**Allowed traffic endpoints** |
+| --- |
+|activation-v2.sls.microsoft.com/*|
+|crl.microsoft.com/pki/crl/*|
+|ocsp.digicert.com/*|
+|www.microsoft.com/pkiops/*|
To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
index 4f007d6da6..ae5da4bba4 100644
--- a/windows/privacy/manage-windows-1709-endpoints.md
+++ b/windows/privacy/manage-windows-1709-endpoints.md
@@ -23,11 +23,11 @@ ms.reviewer:
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
index c8c4bffe0c..2ad044d990 100644
--- a/windows/privacy/manage-windows-1803-endpoints.md
+++ b/windows/privacy/manage-windows-1803-endpoints.md
@@ -23,11 +23,11 @@ ms.reviewer:
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index 2f2f90b82d..f574f6409d 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -23,11 +23,11 @@ ms.reviewer:
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 5400e152f2..01c084966d 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -22,11 +22,11 @@ ms.date: 5/3/2019
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
diff --git a/windows/release-information/TOC.md b/windows/release-information/TOC.md
index c905dea447..41ca5d90c0 100644
--- a/windows/release-information/TOC.md
+++ b/windows/release-information/TOC.md
@@ -24,7 +24,7 @@
# Previous versions
## Windows 8.1 and Windows Server 2012 R2
### [Known issues and notifications](status-windows-8.1-and-windows-server-2012-r2.yml)
-###[Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
+### [Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml)
## Windows Server 2012
### [Known issues and notifications](status-windows-server-2012.yml)
### [Resolved issues](resolved-issues-windows-server-2012.yml)
@@ -33,4 +33,4 @@
### [Resolved issues](resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml)
## Windows Server 2008 SP2
### [Known issues and notifications](status-windows-server-2008-sp2.yml)
-### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
\ No newline at end of file
+### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml)
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
index 5bab1ca43c..4dcacaf204 100644
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@@ -38,6 +38,7 @@
"breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
"ms.prod": "w10",
"ms.date": "4/30/2019",
+ "audience": "ITPro",
"titleSuffix": "Windows Release Information",
"extendBreadcrumb": true,
"feedback_system": "None"
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
index 048946f759..b4f166be36 100644
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ b/windows/release-information/resolved-issues-windows-10-1507.yml
@@ -32,17 +32,13 @@ sections:
- type: markdown
text: "
"
@@ -53,6 +49,16 @@ sections:
Summary Originating update Status Date resolved Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >OS Build 10240.18305
August 13, 2019
KB4512497Resolved
KB4517276August 17, 2019
02:00 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >OS Build 10240.18244
June 11, 2019
KB4503291Resolved External August 09, 2019
07:03 PM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 10240.18244
June 11, 2019
KB4503291Resolved
KB4507458July 09, 2019
10:00 AM PTUnable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details >OS Build 10240.18215
May 14, 2019
KB4499154Resolved
KB4505051May 19, 2019
02:00 PM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4493475April 09, 2019
10:00 AM PTUnable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.
See details >OS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4487018February 12, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4493475April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872March 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4491101February 21, 2019
02:00 PM PTFirst character of Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872March 12, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 10240.18158
March 12, 2019
KB4489872Resolved
KB4493475April 09, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >OS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4487018February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872March 12, 2019
10:00 AM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -86,10 +92,6 @@ sections:
text: "
Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 10240.18305
August 13, 2019
KB4512497Resolved
KB4517276Resolved:
August 17, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topOS Build 10240.18244
June 11, 2019
KB4503291Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
"
@@ -98,8 +100,6 @@ sections:
- type: markdown
text: "
Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4493475Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4491101Resolved:
February 21, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTFirst character of Japanese era name not recognized
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 10240.18132
February 12, 2019
KB4487018Resolved
KB4489872Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PT
"
diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml
index c20d9b33f0..f2e5cd3bcb 100644
--- a/windows/release-information/resolved-issues-windows-10-1607.yml
+++ b/windows/release-information/resolved-issues-windows-10-1607.yml
@@ -32,6 +32,13 @@ sections:
- type: markdown
text: "
Details Originating update Status History Unable to access hotspots with third-party applications
Back to topOS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4487018Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
Back to topOS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4493475Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topOS Build 10240.18094
January 08, 2019
KB4480962Resolved
KB4487018Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
"
@@ -65,6 +65,38 @@ sections:
Summary Originating update Status Date resolved IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 14393.3204
September 10, 2019
KB4516044Resolved September 17, 2019
04:47 PM PTApps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.
See details >OS Build 14393.3053
June 18, 2019
KB4503294Resolved
KB4516044September 10, 2019
10:00 AM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 14393.3115
July 16, 2019
KB4507459Resolved
KB4512517August 13, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 14393.3025
June 11, 2019
KB4503267Resolved
KB4512495August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >OS Build 14393.3144
August 13, 2019
KB4512517Resolved
KB4512495August 17, 2019
02:00 PM PTInternet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.
See details >OS Build 14393.3085
July 09, 2019
KB4507460Resolved
KB4512517August 13, 2019
10:00 AM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >OS Build 14393.3025
June 11, 2019
KB4503267Resolved External August 09, 2019
07:03 PM PTSCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4507459July 16, 2019
10:00 AM PTSome applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
See details >OS Build 14393.2941
April 25, 2019
KB4493473Resolved
KB4507459July 16, 2019
10:00 AM PTDevices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details >OS Build 14393.2969
May 14, 2019
KB4494440Resolved
KB4507460July 09, 2019
10:00 AM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >OS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4493470April 09, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup.
See details >OS Build 14393.2879
March 19, 2019
KB4489889Resolved
KB4493470April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4493470April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4489882March 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4487006February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 14393.2759
January 17, 2019
KB4480977Resolved
KB4487006February 19, 2019
02:00 PM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 14393.2848
March 12, 2019
KB4489882Resolved
KB4493473April 25, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >OS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4487026February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4487006February 19, 2019
02:00 PM PTIssue hosting multiple terminal server sessions and a user logs off on Windows Server
In some cases, Windows Server will stop working and restart when hosting multiple terminal server sessions and a user logs off.
See details >OS Build 14393.2828
February 19, 2019
KB4487006Resolved
KB4489882March 12, 2019
10:00 AM PTInstant search in Microsoft Outlook fails on Windows Server 2016
Instant search in Microsoft Outlook clients fail with the error, \"Outlook cannot perform the search\" on Windows Server 2016.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4487026February 12, 2019
10:00 AM PT
+ "
+
+- title: August 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History IME may become unresponsive or have High CPU usage
Back to topOS Build 14393.3204
September 10, 2019
KB4516044Resolved Resolved:
September 17, 2019
04:47 PM PT
Opened:
September 13, 2019
05:25 PM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Apps and scripts using the NetQueryDisplayInformation API may fail with error
Back to topOS Build 14393.3053
June 18, 2019
KB4503294Resolved
KB4516044Resolved:
September 10, 2019
10:00 AM PT
Opened:
August 01, 2019
05:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 14393.3144
August 13, 2019
KB4512517Resolved
KB4512495Resolved:
August 17, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topOS Build 14393.3025
June 11, 2019
KB4503267Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -115,10 +147,6 @@ sections:
text: "
Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 14393.3115
July 16, 2019
KB4507459Resolved
KB4512517Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 14393.3025
June 11, 2019
KB4503267Resolved
KB4512495Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PTInternet Explorer 11 and apps using the WebBrowser control may fail to render
Back to topOS Build 14393.3085
July 09, 2019
KB4507460Resolved
KB4512517Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 26, 2019
04:58 PM PT
"
@@ -129,8 +157,6 @@ sections:
Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4489882Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4487006Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 14393.2791
February 12, 2019
KB4487026Resolved
KB4487006Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTIssue hosting multiple terminal server sessions and a user logs off on Windows Server
Back to topOS Build 14393.2828
February 19, 2019
KB4487006Resolved
KB4489882Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 19, 2019
02:00 PM PT
"
@@ -140,6 +166,5 @@ sections:
text: "
Details Originating update Status History Internet Explorer 11 authentication issue with multiple concurrent logons
Back to topOS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
Back to topOS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
Back to topOS Build 14393.2759
January 17, 2019
KB4480977Resolved
KB4487006Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 17, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Back to topOS Build 14393.2724
January 08, 2019
KB4480961Resolved
KB4487026Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
"
diff --git a/windows/release-information/resolved-issues-windows-10-1703.yml b/windows/release-information/resolved-issues-windows-10-1703.yml
index b87928c05d..a15dc08538 100644
--- a/windows/release-information/resolved-issues-windows-10-1703.yml
+++ b/windows/release-information/resolved-issues-windows-10-1703.yml
@@ -32,6 +32,10 @@ sections:
- type: markdown
text: "
Details Originating update Status History SCVMM cannot enumerate and manage logical switches deployed on the host
Back to topOS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4507459Resolved:
July 16, 2019
10:00 AM PT
Opened:
November 27, 2018
10:00 AM PTInstant search in Microsoft Outlook fails on Windows Server 2016
Back to topOS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4487026Resolved:
February 12, 2019
10:00 AM PT
Opened:
November 27, 2018
10:00 AM PT
"
@@ -58,6 +56,35 @@ sections:
Summary Originating update Status Date resolved IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 15063.2045
September 10, 2019
KB4516068Resolved September 17, 2019
04:47 PM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 15063.1955
July 16, 2019
KB4507467Resolved
KB4512507August 13, 2019
10:00 AM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >OS Build 15063.1988
August 13, 2019
KB4512507Resolved
KB4512474August 17, 2019
02:00 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >OS Build 15063.1868
June 11, 2019
KB4503279Resolved External August 09, 2019
07:03 PM PTDevices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details >OS Build 15063.1805
May 14, 2019
KB4499181Resolved
KB4507450July 09, 2019
10:00 AM PTDifficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details >OS Build 15063.1839
May 28, 2019
KB4499162Resolved
KB4509476June 26, 2019
04:00 PM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 15063.1868
June 11, 2019
KB4503279Resolved
KB4503289June 18, 2019
02:00 PM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4493474April 09, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
See details >OS Build 15063.1716
March 19, 2019
KB4489888Resolved
KB4493474April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4493474April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 15063.1659
February 19, 2019
KB4487011Resolved
KB4489871March 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4487011February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 15063.1596
January 15, 2019
KB4480959Resolved
KB4487011February 19, 2019
02:00 PM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 15063.1689
March 12, 2019
KB4489871Resolved
KB4493436April 25, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >OS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4487020February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4487011February 19, 2019
02:00 PM PTWebpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.
See details >OS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4487020February 12, 2019
10:00 AM PT
+ "
+
+- title: August 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History IME may become unresponsive or have High CPU usage
Back to topOS Build 15063.2045
September 10, 2019
KB4516068Resolved Resolved:
September 17, 2019
04:47 PM PT
Opened:
September 13, 2019
05:25 PM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 15063.1988
August 13, 2019
KB4512507Resolved
KB4512474Resolved:
August 17, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topOS Build 15063.1868
June 11, 2019
KB4503279Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -96,9 +123,6 @@ sections:
text: "
Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 15063.1955
July 16, 2019
KB4507467Resolved
KB4512507Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PT
"
@@ -108,8 +132,5 @@ sections:
text: "
Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4493474Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 15063.1659
February 19, 2019
KB4487011Resolved
KB4489871Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Back to topOS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4487011Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 15063.1631
February 12, 2019
KB4487020Resolved
KB4487011Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
"
diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml
index cd92b2d492..b9fb594146 100644
--- a/windows/release-information/resolved-issues-windows-10-1709.yml
+++ b/windows/release-information/resolved-issues-windows-10-1709.yml
@@ -32,6 +32,10 @@ sections:
- type: markdown
text: "
Details Originating update Status History MSXML6 may cause applications to stop responding
Back to topOS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4493474Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
Back to topOS Build 15063.1596
January 15, 2019
KB4480959Resolved
KB4487011Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 15, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topOS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4487020Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Back to topOS Build 15063.1563
January 08, 2019
KB4480973Resolved
KB4487020Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
"
@@ -59,6 +57,27 @@ sections:
Summary Originating update Status Date resolved Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 16299.1296
July 16, 2019
KB4507465Resolved
KB4512516August 13, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 16299.1217
June 11, 2019
KB4503284Resolved
KB4512494August 16, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >OS Build 16299.1331
August 13, 2019
KB4512516Resolved
KB4512494August 16, 2019
02:00 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >OS Build 16299.1217
June 11, 2019
KB4503284Resolved External August 09, 2019
07:03 PM PTDifficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details >OS Build 16299.1182
May 28, 2019
KB4499147Resolved
KB4509477June 26, 2019
04:00 PM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 16299.1217
June 11, 2019
KB4503284Resolved
KB4503281June 18, 2019
02:00 PM PTOpening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details >OS Build 16299.1182
May 28, 2019
KB4499147Resolved
KB4503284June 11, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4493441April 09, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
See details >OS Build 16299.1059
March 19, 2019
KB4489890Resolved
KB4493441April 09, 2019
10:00 AM PTMSXML6 causes applications to stop responding if an exception was thrown
MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4493441April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4489886March 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4487021February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 16299.936
January 15, 2019
KB4480967Resolved
KB4487021February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >OS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4486996February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4487021February 19, 2019
02:00 PM PTWebpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.
See details >OS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4486996February 12, 2019
10:00 AM PTStop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.
See details >OS Build 16299.1029
March 12, 2019
KB4489886Resolved
KB4493441April 09, 2019
10:00 AM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 16299.1331
August 13, 2019
KB4512516Resolved
KB4512494Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topOS Build 16299.1217
June 11, 2019
KB4503284Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -106,9 +125,6 @@ sections:
text: "
Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 16299.1296
July 16, 2019
KB4507465Resolved
KB4512516Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 16299.1217
June 11, 2019
KB4503284Resolved
KB4512494Resolved:
August 16, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
@@ -118,8 +134,5 @@ sections:
text: "
Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4493441Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4489886Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4487021Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 16299.967
February 12, 2019
KB4486996Resolved
KB4487021Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
"
diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml
index 7174542746..a65cc10df5 100644
--- a/windows/release-information/resolved-issues-windows-10-1803.yml
+++ b/windows/release-information/resolved-issues-windows-10-1803.yml
@@ -32,6 +32,11 @@ sections:
- type: markdown
text: "
Details Originating update Status History MSXML6 causes applications to stop responding if an exception was thrown
Back to topOS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4493441Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized as an abbreviation
Back to topOS Build 16299.936
January 15, 2019
KB4480967Resolved
KB4487021Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 15, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topOS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4486996Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Back to topOS Build 16299.904
January 08, 2019
KB4480978Resolved
KB4486996Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
"
@@ -59,6 +58,36 @@ sections:
Summary Originating update Status Date resolved Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 17134.915
July 16, 2019
KB4507466Resolved
KB4512501August 13, 2019
10:00 AM PTNotification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"
See details >N/A Resolved September 03, 2019
12:32 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 17134.829
June 11, 2019
KB4503286Resolved
KB4512509August 19, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >OS Build 17134.950
August 13, 2019
KB4512501Resolved
KB4512509August 19, 2019
02:00 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >OS Build 17134.829
June 11, 2019
KB4503286Resolved External August 09, 2019
07:03 PM PTDifficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details >OS Build 17134.799
May 21, 2019
KB4499183Resolved
KB4509478June 26, 2019
04:00 PM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 17134.829
June 11, 2019
KB4503286Resolved
KB4503288June 18, 2019
02:00 PM PTOpening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details >OS Build 17134.799
May 21, 2019
KB4499183Resolved
KB4503286June 11, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >OS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4493464April 09, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
See details >OS Build 17134.677
March 19, 2019
KB4489894Resolved
KB4493464April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4493464April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4489868March 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4487029February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 17134.556
January 15, 2019
KB4480976Resolved
KB4487029February 19, 2019
02:00 PM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >OS Build 17134.648
March 12, 2019
KB4489868Resolved
KB4493437April 25, 2019
02:00 PM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >OS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4487017February 12, 2019
10:00 AM PTCannot pin a web link on the Start menu or the taskbar
Some users cannot pin a web link on the Start menu or the taskbar.
See details >OS Build 17134.471
December 11, 2018
KB4471324Resolved
KB4487029February 19, 2019
02:00 PM PTWebpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.
See details >OS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4487017February 12, 2019
10:00 AM PTStop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.
See details >OS Build 17134.648
March 12, 2019
KB4489868Resolved
KB4493464April 09, 2019
10:00 AM PT
+ "
+
+- title: August 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Notification issue: \"Your device is missing important security and quality fixes.\"
Back to topN/A Resolved Resolved:
September 03, 2019
12:32 PM PT
Opened:
September 03, 2019
12:32 PM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 17134.950
August 13, 2019
KB4512501Resolved
KB4512509Resolved:
August 19, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topOS Build 17134.829
June 11, 2019
KB4503286Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -106,8 +135,6 @@ sections:
text: "
Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 17134.915
July 16, 2019
KB4507466Resolved
KB4512501Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 17134.829
June 11, 2019
KB4503286Resolved
KB4512509Resolved:
August 19, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
@@ -117,17 +144,5 @@ sections:
text: "
Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4489868Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 17134.590
February 12, 2019
KB4487017Resolved
KB4487029Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
- "
-
-- title: December 2018
-- items:
- - type: markdown
- text: "
- Details Originating update Status History MSXML6 may cause applications to stop responding
Back to topOS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4493464Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTFirst character of the Japanese era name not recognized
Back to topOS Build 17134.556
January 15, 2019
KB4480976Resolved
KB4487029Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4487017Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Back to topOS Build 17134.523
January 08, 2019
KB4480966Resolved
KB4487017Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
"
diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
index 0d43d708e8..829b497041 100644
--- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
@@ -32,6 +32,10 @@ sections:
- type: markdown
text: "
Details Originating update Status History Cannot pin a web link on the Start menu or the taskbar
Back to topOS Build 17134.471
December 11, 2018
KB4471324Resolved
KB4487029Resolved:
February 19, 2019
02:00 PM PT
Opened:
December 11, 2018
10:00 AM PT
"
@@ -71,6 +65,27 @@ sections:
Summary Originating update Status Date resolved Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 17763.652
July 22, 2019
KB4505658Resolved
KB4511553August 13, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 17763.557
June 11, 2019
KB4503327Resolved
KB4512534August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >OS Build 17763.678
August 13, 2019
KB4511553Resolved
KB4512534August 17, 2019
02:00 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >OS Build 17763.557
June 11, 2019
KB4503327Resolved External August 09, 2019
07:03 PM PTDifficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.
See details >OS Build 17763.529
May 21, 2019
KB4497934Resolved
KB4509479June 26, 2019
04:00 PM PTDevices with Realtek Bluetooth radios drivers may not pair or connect as expected
Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.
See details >OS Build 17763.503
May 14, 2019
KB4494441Resolved
KB4501371June 18, 2019
02:00 PM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 17763.557
June 11, 2019
KB4503327Resolved
KB4501371June 18, 2019
02:00 PM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >OS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4493509April 09, 2019
10:00 AM PTEnd-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
See details >OS Build 17763.404
April 02, 2019
KB4490481Resolved
KB4493509April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >OS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4493509April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
See details >OS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4489899March 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >OS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887March 01, 2019
10:00 AM PTFirst character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >OS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887March 01, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 9 file format may randomly stop working.
See details >OS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887March 01, 2019
10:00 AM PTIssues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards
Upgrade block: Devices utilizing AMD Radeon HD2000 or HD4000 series video cards may experience issues with the lock screen and Microsoft Edge tabs.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4487044February 12, 2019
10:00 AM PTShared albums may not sync with iCloud for Windows
Upgrade block: Apple has identified an incompatibility with iCloud for Windows (version 7.7.0.27) where users may experience issues updating or synching Shared Albums.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887March 01, 2019
10:00 AM PTIntel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Users may see an Intel Audio Display (intcdaud.sys) notification during setup for devices with certain Intel Display Audio Drivers.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887March 01, 2019
10:00 AM PTF5 VPN clients losing network connectivity
Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.
See details >OS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887March 01, 2019
10:00 AM PTGlobal DNS outage affects Windows Update customers
Windows Update customers were recently affected by a network infrastructure event caused by an external DNS service provider's global outage.
See details >N/A Resolved March 08, 2019
11:15 AM PTApps may stop working after selecting an audio output device other than the default
Users with multiple audio devices that select an audio output device different from the \"Default Audio Device\" may find certain applications stop working unexpectedly.
See details >OS Build 17763.348
March 01, 2019
KB4482887Resolved
KB4490481April 02, 2019
10:00 AM PTWebpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.
See details >OS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4487044February 12, 2019
10:00 AM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 17763.678
August 13, 2019
KB4511553Resolved
KB4512534Resolved:
August 17, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topOS Build 17763.557
June 11, 2019
KB4503327Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -124,10 +139,6 @@ sections:
text: "
Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 17763.652
July 22, 2019
KB4505658Resolved
KB4511553Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 17763.557
June 11, 2019
KB4503327Resolved
KB4512534Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
@@ -138,8 +149,6 @@ sections:
Details Originating update Status History Embedded objects may display incorrectly
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4493509Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4489899Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTFirst character of the Japanese era name not recognized
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topOS Build 17763.316
February 12, 2019
KB4487044Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PT
"
@@ -149,9 +158,5 @@ sections:
text: "
Details Originating update Status History Internet Explorer 11 authentication issue with multiple concurrent logons
Back to topOS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4493509Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
Back to topOS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4493509Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTGlobal DNS outage affects Windows Update customers
Back to topN/A Resolved Resolved:
March 08, 2019
11:15 AM PT
Opened:
January 29, 2019
02:00 PM PTWebpages become unresponsive in Microsoft Edge
Back to topOS Build 17763.253
January 08, 2019
KB4480116Resolved
KB4487044Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
"
diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml
index 4e7aae8a05..c2c7870398 100644
--- a/windows/release-information/resolved-issues-windows-10-1903.yml
+++ b/windows/release-information/resolved-issues-windows-10-1903.yml
@@ -32,6 +32,15 @@ sections:
- type: markdown
text: "
Details Originating update Status History Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved Resolved:
May 21, 2019
07:42 AM PT
Opened:
November 13, 2018
10:00 AM PTIssues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4487044Resolved:
February 12, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTShared albums may not sync with iCloud for Windows
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTIntel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTF5 VPN clients losing network connectivity
Back to topOS Build 17763.134
November 13, 2018
KB4467708Resolved
KB4482887Resolved:
March 01, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTSummary Originating update Status Date resolved Screenshots and Snips have an unnatural orange tint
Users have reported an orange tint on Screenshots and Snips with the Lenovo Vantage app installed
See details >OS Build 18362.356
September 10, 2019
KB4516115Resolved External September 11, 2019
08:54 PM PTWindows Desktop Search may not return any results and may have high CPU usage
Windows Desktop Search may not return any results and SearchUI.exe may have high CPU usage after installing KB4512941.
See details >OS Build 18362.329
August 30, 2019
KB4512941Resolved
KB4515384September 10, 2019
10:00 AM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941August 30, 2019
10:00 AM PTIssues updating when certain versions of Intel storage drivers are installed
Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.
See details >OS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941August 30, 2019
10:00 AM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >OS Build 18362.295
August 13, 2019
KB4512508Resolved
KB4512941August 30, 2019
10:00 AM PTInitiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
See details >OS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941August 30, 2019
10:00 AM PTWindows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
See details >OS Build 18362.116
May 20, 2019
KB4505057Resolved
KB4512941August 30, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 18362.175
June 11, 2019
KB4503293Resolved
KB4512941August 30, 2019
10:00 AM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >OS Build 18362.175
June 11, 2019
KB4503293Resolved External August 09, 2019
07:03 PM PTDisplay brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
See details >OS Build 18362.116
May 21, 2019
KB4505057Resolved
KB4505903July 26, 2019
02:00 PM PTRASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
See details >OS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4505903July 26, 2019
02:00 PM PTLoss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
See details >OS Build 18362.116
May 20, 2019
KB4505057Resolved July 11, 2019
01:54 PM PT
+ "
+
+- title: August 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Screenshots and Snips have an unnatural orange tint
Back to topOS Build 18362.356
September 10, 2019
KB4516115Resolved External Last updated:
September 11, 2019
08:54 PM PT
Opened:
September 11, 2019
08:54 PM PTWindows Desktop Search may not return any results and may have high CPU usage
Back to topOS Build 18362.329
August 30, 2019
KB4512941Resolved
KB4515384Resolved:
September 10, 2019
10:00 AM PT
Opened:
September 04, 2019
02:25 PM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 18362.295
August 13, 2019
KB4512508Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topOS Build 18362.175
June 11, 2019
KB4503293Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -67,6 +109,7 @@ sections:
- type: markdown
text: "
Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTIssues updating when certain versions of Intel storage drivers are installed
Back to topOS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTInitiating a Remote Desktop connection may result in black screen
Back to topOS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 12, 2019
04:42 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 18362.175
June 11, 2019
KB4503293Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 10, 2019
02:51 PM PTDetails Originating update Status History Windows Sandbox may fail to start with error code “0x80070002”
Back to topOS Build 18362.116
May 20, 2019
KB4505057Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
May 24, 2019
04:20 PM PTDisplay brightness may not respond to adjustments
Back to topOS Build 18362.116
May 21, 2019
KB4505057Resolved
KB4505903Resolved:
July 26, 2019
02:00 PM PT
Opened:
May 21, 2019
07:56 AM PTLoss of functionality in Dynabook Smartphone Link app
Back to topOS Build 18362.116
May 20, 2019
KB4505057Resolved Resolved:
July 11, 2019
01:54 PM PT
Opened:
May 24, 2019
03:10 PM PTError attempting to update with external USB device or memory card attached
Back to topOS Build 18362.116
May 21, 2019
KB4505057Resolved Resolved:
July 11, 2019
01:53 PM PT
Opened:
May 21, 2019
07:38 AM PT
"
@@ -60,6 +59,26 @@ sections:
Summary Originating update Status Date resolved Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
See details >August 13, 2019
KB4512506Resolved External August 27, 2019
02:29 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503292Resolved
KB4512514August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >August 13, 2019
KB4512506Resolved
KB4517297August 16, 2019
02:00 PM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details >April 09, 2019
KB4493472Resolved External August 13, 2019
06:59 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >June 11, 2019
KB4503292Resolved External August 09, 2019
07:03 PM PTIE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details >May 14, 2019
KB4499164Resolved
KB4503277June 20, 2019
02:00 PM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >June 11, 2019
KB4503292Resolved
KB4503277June 20, 2019
02:00 PM PTUnable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details >May 14, 2019
KB4499164Resolved
KB4505050May 18, 2019
02:00 PM PTDevices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
See details >April 09, 2019
KB4493472Resolved April 25, 2019
02:00 PM PTNETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.
See details >March 12, 2019
KB4489878Resolved
KB4493472April 09, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >March 12, 2019
KB4489878Resolved
KB4493472April 09, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >February 12, 2019
KB4486563Resolved
KB4486565February 19, 2019
02:00 PM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >February 12, 2019
KB4486563Resolved
KB4486565February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >January 17, 2019
KB4480955Resolved
KB4486565February 19, 2019
02:00 PM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >January 08, 2019
KB4480970Resolved
KB4493472April 09, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >January 08, 2019
KB4480970Resolved
KB4486563February 12, 2019
10:00 AM PTEvent Viewer may not show some event descriptions for network interface cards
The Event Viewer may not show some event descriptions for network interface cards (NIC).
See details >October 18, 2018
KB4462927Resolved
KB4489878March 12, 2019
10:00 AM PTVirtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.
See details >January 08, 2019
KB4480970Resolved
KB4490511February 19, 2019
02:00 PM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Back to topAugust 13, 2019
KB4512506Resolved External Last updated:
August 27, 2019
02:29 PM PT
Opened:
August 13, 2019
10:05 AM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topAugust 13, 2019
KB4512506Resolved
KB4517297Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topJune 11, 2019
KB4503292Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -84,6 +103,7 @@ sections:
- type: markdown
text: "
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503292Resolved
KB4512514Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PTDetails Originating update Status History System may be unresponsive after restart with certain McAfee antivirus products
Back to topApril 09, 2019
KB4493472Resolved External Last updated:
August 13, 2019
06:59 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem may be unresponsive after restart if ArcaBit antivirus software installed
Back to topApril 09, 2019
KB4493472Resolved Resolved:
May 14, 2019
01:23 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Back to topApril 09, 2019
KB4493472Resolved Resolved:
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem may be unresponsive after restart if Avira antivirus software installed
Back to topApril 09, 2019
KB4493472Resolved Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT
"
@@ -118,18 +136,6 @@ sections:
- type: markdown
text: "
Details Originating update Status History Embedded objects may display incorrectly
Back to topFebruary 12, 2019
KB4486563Resolved
KB4493472Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Back to topFebruary 12, 2019
KB4486563Resolved
KB4486565Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTInternet Explorer may fail to load images
Back to topFebruary 12, 2019
KB4486563Resolved
KB4486565Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PT
- "
-
-- title: October 2018
-- items:
- - type: markdown
- text: "
- Details Originating update Status History First character of the Japanese era name not recognized as an abbreviation
Back to topJanuary 17, 2019
KB4480955Resolved
KB4486565Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 17, 2019
10:00 AM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Back to topJanuary 08, 2019
KB4480970Resolved
KB4493472Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topJanuary 08, 2019
KB4480970Resolved
KB4486563Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTVirtual machines fail to restore
Back to topJanuary 08, 2019
KB4480970Resolved
KB4490511Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PT
"
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
index dc386260cc..6255d324e1 100644
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -32,6 +32,10 @@ sections:
- type: markdown
text: "
Details Originating update Status History Event Viewer may not show some event descriptions for network interface cards
Back to topOctober 18, 2018
KB4462927Resolved
KB4489878Resolved:
March 12, 2019
10:00 AM PT
Opened:
October 18, 2018
10:00 AM PT
"
@@ -61,6 +60,25 @@ sections:
Summary Originating update Status Date resolved Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503276Resolved
KB4512478August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >August 13, 2019
KB4512488Resolved
KB4517298August 16, 2019
02:00 PM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details >April 09, 2019
KB4493446Resolved External August 13, 2019
06:59 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >June 11, 2019
KB4503276Resolved External August 09, 2019
07:03 PM PTIE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details >May 14, 2019
KB4499151Resolved
KB4503283June 20, 2019
02:00 PM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >June 11, 2019
KB4503276Resolved
KB4503283June 20, 2019
02:00 PM PTIssue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
See details >March 12, 2019
KB4489881Resolved
KB4503276June 11, 2019
10:00 AM PTSystem may be unresponsive after restart if ArcaBit antivirus software installed
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493446Resolved May 14, 2019
01:22 PM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >April 09, 2019
KB4493446Resolved May 14, 2019
01:22 PM PTSystem may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493446Resolved May 14, 2019
01:21 PM PTInternet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
See details >February 12, 2019
KB4487000Resolved
KB4487016February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >January 15, 2019
KB4480969Resolved
KB4487016February 19, 2019
02:00 PM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >February 12, 2019
KB4487000Resolved
KB4493446April 09, 2019
10:00 AM PTDevices may not respond at login or Welcome screen if running certain Avast software
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
See details >April 09, 2019
KB4493446Resolved April 25, 2019
02:00 PM PTDevices with winsock kernel client may receive error
Devices with a winsock kernel client may receive D1, FC, and other errors.
See details >March 12, 2019
KB4489881Resolved
KB4489893March 19, 2019
10:00 AM PTCustom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >March 12, 2019
KB4489881Resolved
KB4493446April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >February 19, 2019
KB4487016Resolved
KB4489881March 12, 2019
10:00 AM PTMSXML6 may cause applications to stop responding.
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >January 08, 2019
KB4480963Resolved
KB4493446April 09, 2019
10:00 AM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >January 08, 2019
KB4480963Resolved
KB4493446April 09, 2019
10:00 AM PTVirtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.
See details >January 08, 2019
KB4480963Resolved
KB4490512February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >January 08, 2019
KB4480963Resolved
KB4487000February 12, 2019
10:00 AM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topAugust 13, 2019
KB4512488Resolved
KB4517298Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topJune 11, 2019
KB4503276Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -86,6 +104,7 @@ sections:
- type: markdown
text: "
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503276Resolved
KB4512478Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PTDetails Originating update Status History System may be unresponsive after restart with certain McAfee antivirus products
Back to topApril 09, 2019
KB4493446Resolved External Last updated:
August 13, 2019
06:59 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem may be unresponsive after restart if ArcaBit antivirus software installed
Back to topApril 09, 2019
KB4493446Resolved Resolved:
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Back to topApril 09, 2019
KB4493446Resolved Resolved:
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PTSystem may be unresponsive after restart if Avira antivirus software installed
Back to topApril 09, 2019
KB4493446Resolved Resolved:
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT
"
@@ -120,10 +137,7 @@ sections:
- type: markdown
text: "
Details Originating update Status History Internet Explorer may fail to load images
Back to topFebruary 12, 2019
KB4487000Resolved
KB4487016Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTEmbedded objects may display incorrectly
Back to topFebruary 12, 2019
KB4487000Resolved
KB4493446Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topFebruary 19, 2019
KB4487016Resolved
KB4489881Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 19, 2019
02:00 PM PT
"
diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
index 1a7ffb0d7a..f81be52e89 100644
--- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
+++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
@@ -32,16 +32,15 @@ sections:
- type: markdown
text: "
Details Originating update Status History First character of the Japanese era name not recognized as an abbreviation
Back to topJanuary 15, 2019
KB4480969Resolved
KB4487016Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 15, 2019
10:00 AM PTMSXML6 may cause applications to stop responding.
Back to topJanuary 08, 2019
KB4480963Resolved
KB4493446Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Back to topJanuary 08, 2019
KB4480963Resolved
KB4493446Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTVirtual machines fail to restore
Back to topJanuary 08, 2019
KB4480963Resolved
KB4490512Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topJanuary 08, 2019
KB4480963Resolved
KB4487000Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
"
@@ -52,6 +51,25 @@ sections:
Summary Originating update Status Date resolved Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503273Resolved
KB4512499August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >August 13, 2019
KB4512476Resolved
KB4517301August 16, 2019
02:00 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >June 11, 2019
KB4503273Resolved External August 09, 2019
07:03 PM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >June 11, 2019
KB4503273Resolved
KB4503271June 20, 2019
02:00 PM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >April 09, 2019
KB4493471Resolved May 14, 2019
01:21 PM PTSystem may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493471Resolved May 14, 2019
01:19 PM PTAuthentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details >March 12, 2019
KB4489880Resolved
KB4499149May 14, 2019
10:00 AM PTNETDOM.EXE fails to run
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.
See details >March 12, 2019
KB4489880Resolved
KB4493471April 09, 2019
10:00 AM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >February 12, 2019
KB4487023Resolved
KB4487022February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >January 17, 2019
KB4480974Resolved
KB4489880March 12, 2019
10:00 AM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >February 12, 2019
KB4487023Resolved
KB4493471April 09, 2019
10:00 AM PTVirtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.
See details >January 08, 2019
KB4480968Resolved
KB4490514February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >January 08, 2019
KB4480968Resolved
KB4487023February 12, 2019
10:00 AM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topAugust 13, 2019
KB4512476Resolved
KB4517301Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topJune 11, 2019
KB4503273Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -86,18 +104,6 @@ sections:
- type: markdown
text: "
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503273Resolved
KB4512499Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
-
-- title: January 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Applications using Microsoft Jet database and Access 95 file format stop working
Back to topFebruary 12, 2019
KB4487023Resolved
KB4487022Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTEmbedded objects may display incorrectly
Back to topFebruary 12, 2019
KB4487023Resolved
KB4493471Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PT
- "
diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml
index b46a4674bf..bb1c5a4635 100644
--- a/windows/release-information/resolved-issues-windows-server-2012.yml
+++ b/windows/release-information/resolved-issues-windows-server-2012.yml
@@ -32,6 +32,9 @@ sections:
- type: markdown
text: "
Details Originating update Status History First character of the Japanese era name not recognized as an abbreviation
Back to topJanuary 17, 2019
KB4480974Resolved
KB4489880Resolved:
March 12, 2019
10:00 AM PT
Opened:
January 17, 2019
10:00 AM PTVirtual machines fail to restore
Back to topJanuary 08, 2019
KB4480968Resolved
KB4490514Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topJanuary 08, 2019
KB4480968Resolved
KB4487023Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
"
@@ -59,6 +56,25 @@ sections:
Summary Originating update Status Date resolved Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503285Resolved
KB4512512August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >August 13, 2019
KB4512518Resolved
KB4517302August 16, 2019
02:00 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
See details >June 11, 2019
KB4503285Resolved External August 09, 2019
07:03 PM PTSome devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.
See details >June 11, 2019
KB4503285Resolved
KB4503295June 21, 2019
02:00 PM PTIE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.
See details >May 14, 2019
KB4499171Resolved
KB4503295June 21, 2019
02:00 PM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >June 11, 2019
KB4503285Resolved
KB4503295June 20, 2019
02:00 PM PTLayout and cell size of Excel sheets may change when using MS UI Gothic
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >April 25, 2019
KB4493462Resolved
KB4499171May 14, 2019
10:00 AM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >April 09, 2019
KB4493451Resolved May 14, 2019
01:21 PM PTSystem may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493451Resolved May 14, 2019
01:19 PM PTApplications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
See details >February 12, 2019
KB4487025Resolved
KB4487024February 19, 2019
02:00 PM PTFirst character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
See details >January 15, 2019
KB4480971Resolved
KB4487024February 19, 2019
02:00 PM PTEmbedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >February 12, 2019
KB4487025Resolved
KB4493451April 09, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
See details >February 12, 2019
KB4487025Resolved
KB4489891March 12, 2019
10:00 AM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.
See details >January 08, 2019
KB4480975Resolved
KB4493451April 09, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
See details >January 08, 2019
KB4480975Resolved
KB4493451April 09, 2019
10:00 AM PTVirtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.
See details >January 08, 2019
KB4480975Resolved
KB4490516February 19, 2019
02:00 PM PTApplications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.
See details >January 08, 2019
KB4480975Resolved
KB4487025February 12, 2019
10:00 AM PTEvent Viewer may not show some event descriptions for network interface cards
The Event Viewer may not show some event descriptions for network interface cards (NIC).
See details >September 11, 2018
KB4457135Resolved
KB4489891March 12, 2019
10:00 AM PT
+ "
+
+- title: July 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topAugust 13, 2019
KB4512518Resolved
KB4517302Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTMacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
Back to topJune 11, 2019
KB4503285Resolved External Last updated:
August 09, 2019
07:03 PM PT
Opened:
August 09, 2019
04:25 PM PT
+ "
+
- title: June 2019
- items:
- type: markdown
@@ -104,9 +120,7 @@ sections:
- type: markdown
text: "
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503285Resolved
KB4512512Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
@@ -115,19 +129,7 @@ sections:
- type: markdown
text: "
Details Originating update Status History Applications using Microsoft Jet database and Access 95 file format stop working
Back to topFebruary 12, 2019
KB4487025Resolved
KB4487024Resolved:
February 19, 2019
02:00 PM PT
Opened:
February 12, 2019
10:00 AM PTEmbedded objects may display incorrectly
Back to topFebruary 12, 2019
KB4487025Resolved
KB4493451Resolved:
April 09, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PTError 1309 when installing/uninstalling MSI or MSP files
Back to topFebruary 12, 2019
KB4487025Resolved
KB4489891Resolved:
March 12, 2019
10:00 AM PT
Opened:
February 12, 2019
10:00 AM PT
- "
-
-- title: September 2018
-- items:
- - type: markdown
- text: "
- Details Originating update Status History First character of the Japanese era name not recognized as an abbreviation
Back to topJanuary 15, 2019
KB4480971Resolved
KB4487024Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 15, 2019
10:00 AM PTInternet Explorer 11 authentication issue with multiple concurrent logons
Back to topJanuary 08, 2019
KB4480975Resolved
KB4493451Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTMSXML6 may cause applications to stop responding
Back to topJanuary 08, 2019
KB4480975Resolved
KB4493451Resolved:
April 09, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PTVirtual machines fail to restore
Back to topJanuary 08, 2019
KB4480975Resolved
KB4490516Resolved:
February 19, 2019
02:00 PM PT
Opened:
January 08, 2019
10:00 AM PTApplications using Microsoft Jet database fail to open
Back to topJanuary 08, 2019
KB4480975Resolved
KB4487025Resolved:
February 12, 2019
10:00 AM PT
Opened:
January 08, 2019
10:00 AM PT
"
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index 9f116c65f8..88f03f07b7 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -60,7 +60,6 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may not show some event descriptions for network interface cards
Back to topSeptember 11, 2018
KB4457135Resolved
KB4489891Resolved:
March 12, 2019
10:00 AM PT
Opened:
September 11, 2018
10:00 AM PT
"
@@ -72,15 +71,6 @@ sections:
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 10240.18244
June 11, 2019
KB4503291Resolved
KB4507458July 09, 2019
10:00 AM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 10240.18094
January 08, 2019
KB4480962Mitigated April 25, 2019
02:00 PM PT
- "
-
- title: January 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index 4bfa74c40c..f2f699cd5b 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -60,12 +60,10 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topOS Build 10240.18244
June 11, 2019
KB4503291Resolved
KB4507458Resolved:
July 09, 2019
10:00 AM PT
Opened:
June 12, 2019
11:11 AM PT
Summary Originating update Status Last updated Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 14393.3115
July 16, 2019
KB4507459Investigating August 01, 2019
06:12 PM PTInternet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.
See details >OS Build 14393.3085
July 09, 2019
KB4507460Mitigated July 26, 2019
04:58 PM PTSCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4507459July 16, 2019
10:00 AM PTSome applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
See details >OS Build 14393.2941
April 25, 2019
KB4493473Resolved
KB4507459July 16, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 14393.3025
June 11, 2019
KB4503267Mitigated July 10, 2019
07:09 PM PTDevices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details >OS Build 14393.2969
May 14, 2019
KB4494440Resolved
KB4507460July 09, 2019
10:00 AM PTIME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 14393.3204
September 10, 2019
KB4516044Resolved September 17, 2019
04:47 PM PTApps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.
See details >OS Build 14393.3053
June 18, 2019
KB4503294Resolved
KB4516044September 10, 2019
10:00 AM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 14393.3115
July 16, 2019
KB4507459Resolved
KB4512517August 13, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 14393.3025
June 11, 2019
KB4503267Resolved
KB4512495August 17, 2019
02:00 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 14393.2724
January 08, 2019
KB4480961Mitigated April 25, 2019
02:00 PM PTWindows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
See details >OS Build 14393.2608
November 13, 2018
KB4467691Mitigated February 19, 2019
10:00 AM PTCluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Mitigated April 25, 2019
02:00 PM PT
+ "
+
+- title: August 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History IME may become unresponsive or have High CPU usage
Back to topOS Build 14393.3204
September 10, 2019
KB4516044Resolved Resolved:
September 17, 2019
04:47 PM PT
Opened:
September 13, 2019
05:25 PM PT
+ "
+
- title: July 2019
- items:
- type: markdown
text: "
Details Originating update Status History Apps and scripts using the NetQueryDisplayInformation API may fail with error
Back to topOS Build 14393.3053
June 18, 2019
KB4503294Resolved
KB4516044Resolved:
September 10, 2019
10:00 AM PT
Opened:
August 01, 2019
05:00 PM PT
- "
-
-- title: June 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up
Back to topOS Build 14393.3115
July 16, 2019
KB4507459Investigating Last updated:
August 01, 2019
06:12 PM PT
Opened:
July 25, 2019
06:10 PM PTInternet Explorer 11 and apps using the WebBrowser control may fail to render
Back to topOS Build 14393.3085
July 09, 2019
KB4507460Mitigated Last updated:
July 26, 2019
04:58 PM PT
Opened:
July 26, 2019
04:58 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 14393.3025
June 11, 2019
KB4503267Mitigated Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PT
- "
-
-- title: May 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Some applications may fail to run as expected on clients of AD FS 2016
Back to topOS Build 14393.2941
April 25, 2019
KB4493473Resolved
KB4507459Resolved:
July 16, 2019
10:00 AM PT
Opened:
June 04, 2019
05:55 PM PT
"
@@ -122,7 +120,6 @@ sections:
- type: markdown
text: "
Details Originating update Status History Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Back to topOS Build 14393.2969
May 14, 2019
KB4494440Resolved
KB4507460Resolved:
July 09, 2019
10:00 AM PT
Opened:
May 21, 2019
08:50 AM PTDomain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 14393.3115
July 16, 2019
KB4507459Resolved
KB4512517Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 14393.3025
June 11, 2019
KB4503267Resolved
KB4512495Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
index 4dbe8ada26..c9f01b66d5 100644
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -20,6 +20,12 @@ sections:
text: "
Find information on known issues for Windows 10, version 1703. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+ Details Originating update Status History SCVMM cannot enumerate and manage logical switches deployed on the host
Back to topOS Build 14393.2639
November 27, 2018
KB4467684Resolved
KB4507459Resolved:
July 16, 2019
10:00 AM PT
Opened:
November 27, 2018
10:00 AM PTWindows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Back to topOS Build 14393.2608
November 13, 2018
KB4467691Mitigated Last updated:
February 19, 2019
10:00 AM PT
Opened:
November 13, 2018
10:00 AM PTCluster service may fail if the minimum password length is set to greater than 14
Back to topOS Build 14393.2639
November 27, 2018
KB4467684Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
November 27, 2018
10:00 AM PT
+
"
- items:
@@ -60,8 +66,8 @@ sections:
- type: markdown
text: "
+ Current status as of August 23, 2019:
+
There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats.
To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
+
"
@@ -73,21 +79,22 @@ sections:
Summary Originating update Status Last updated Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 15063.1955
July 16, 2019
KB4507467Investigating August 01, 2019
06:12 PM PTDevices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.
See details >OS Build 15063.1805
May 14, 2019
KB4499181Resolved
KB4507450July 09, 2019
10:00 AM PTIME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 15063.2045
September 10, 2019
KB4516068Resolved September 17, 2019
04:47 PM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 15063.1955
July 16, 2019
KB4507467Resolved
KB4512507August 13, 2019
10:00 AM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 15063.1563
January 08, 2019
KB4480973Mitigated April 25, 2019
02:00 PM PT
+ "
+
- title: July 2019
- items:
- type: markdown
text: "
Details Originating update Status History IME may become unresponsive or have High CPU usage
Back to topOS Build 15063.2045
September 10, 2019
KB4516068Resolved Resolved:
September 17, 2019
04:47 PM PT
Opened:
September 13, 2019
05:25 PM PT
- "
-
-- title: May 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up
Back to topOS Build 15063.1955
July 16, 2019
KB4507467Investigating Last updated:
August 01, 2019
06:12 PM PT
Opened:
July 25, 2019
06:10 PM PT
"
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index cee8270547..9bd26e7699 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -60,8 +60,9 @@ sections:
- type: markdown
text: "Details Originating update Status History Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Back to topOS Build 15063.1805
May 14, 2019
KB4499181Resolved
KB4507450Resolved:
July 09, 2019
10:00 AM PT
Opened:
May 21, 2019
08:50 AM PTDomain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 15063.1955
July 16, 2019
KB4507467Resolved
KB4512507Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PT
"
@@ -73,13 +74,23 @@ sections:
Summary Originating update Status Last updated Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 16299.1296
July 16, 2019
KB4507465Investigating August 01, 2019
06:12 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 16299.1217
June 11, 2019
KB4503284Mitigated July 10, 2019
07:09 PM PTIME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 16299.1387
September 10, 2019
KB4516066Mitigated September 16, 2019
05:36 PM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 16299.1296
July 16, 2019
KB4507465Resolved
KB4512516August 13, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 16299.1217
June 11, 2019
KB4503284Resolved
KB4512494August 16, 2019
02:00 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 16299.904
January 08, 2019
KB4480978Mitigated April 25, 2019
02:00 PM PT
+ "
+
- title: July 2019
- items:
- type: markdown
text: "
Details Originating update Status History IME may become unresponsive or have High CPU usage
Back to topOS Build 16299.1387
September 10, 2019
KB4516066Mitigated Last updated:
September 16, 2019
05:36 PM PT
Opened:
September 13, 2019
05:25 PM PT
"
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index fccb71eca1..a6be94d23c 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -20,6 +20,11 @@ sections:
text: "
Find information on known issues for Windows 10, version 1803. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+ Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up
Back to topOS Build 16299.1296
July 16, 2019
KB4507465Investigating Last updated:
August 01, 2019
06:12 PM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 16299.1217
June 11, 2019
KB4503284Mitigated Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PTDomain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 16299.1296
July 16, 2019
KB4507465Resolved
KB4512516Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 16299.1217
June 11, 2019
KB4503284Resolved
KB4512494Resolved:
August 16, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
+
"
- items:
@@ -60,8 +65,12 @@ sections:
- type: markdown
text: "
+ Current status as of August 7, 2019:
+
@@ -74,13 +83,34 @@ sections:
Summary Originating update Status Last updated Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 17134.915
July 16, 2019
KB4507466Investigating August 01, 2019
06:12 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 17134.829
June 11, 2019
KB4503286Mitigated July 10, 2019
07:09 PM PTIME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 17134.1006
September 10, 2019
KB4516058Mitigated September 16, 2019
05:36 PM PTWindows Mixed Reality Portal users may intermittently receive a 15-5 error code
You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not respond to \"wake up\" from sleep.
See details >OS Build 17134.950
August 13, 2019
KB4512501Mitigated September 11, 2019
05:32 PM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 17134.915
July 16, 2019
KB4507466Resolved
KB4512501August 13, 2019
10:00 AM PTNotification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"
See details >N/A Resolved September 03, 2019
12:32 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 17134.829
June 11, 2019
KB4503286Resolved
KB4512509August 19, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >OS Build 17134.950
August 13, 2019
KB4512501Resolved
KB4512509August 19, 2019
02:00 PM PTStartup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.
See details >OS Build 17134.829
June 11, 2019
KB4503286Mitigated June 14, 2019
04:41 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 17134.523
January 08, 2019
KB4480966Mitigated April 25, 2019
02:00 PM PT
+ "
+
+- title: August 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History IME may become unresponsive or have High CPU usage
Back to topOS Build 17134.1006
September 10, 2019
KB4516058Mitigated Last updated:
September 16, 2019
05:36 PM PT
Opened:
September 13, 2019
05:25 PM PTWindows Mixed Reality Portal users may intermittently receive a 15-5 error code
Back to topOS Build 17134.950
August 13, 2019
KB4512501Mitigated Last updated:
September 11, 2019
05:32 PM PT
Opened:
September 11, 2019
05:32 PM PTNotification issue: \"Your device is missing important security and quality fixes.\"
Back to topN/A Resolved Resolved:
September 03, 2019
12:32 PM PT
Opened:
September 03, 2019
12:32 PM PT
+ "
+
- title: July 2019
- items:
- type: markdown
text: "
Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 17134.950
August 13, 2019
KB4512501Resolved
KB4512509Resolved:
August 19, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT
"
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index de3ecd7333..f32d6b5f10 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -18,7 +18,7 @@ sections:
- items:
- type: markdown
text: "
- Find information on known issues and the status of the rollout for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+ Find information on known issues for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up
Back to topOS Build 17134.915
July 16, 2019
KB4507466Investigating Last updated:
August 01, 2019
06:12 PM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 17134.829
June 11, 2019
KB4503286Mitigated Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PTDomain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 17134.915
July 16, 2019
KB4507466Resolved
KB4512501Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 17134.829
June 11, 2019
KB4503286Resolved
KB4512509Resolved:
August 19, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
Current status:
Windows 10, version 1809 is designated for broad deployment and available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
@@ -64,8 +64,11 @@ sections:
- type: markdown
text: "
Summary Originating update Status Last updated Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 17763.652
July 22, 2019
KB4505658Investigating August 01, 2019
06:12 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 17763.557
June 11, 2019
KB4503327Mitigated July 10, 2019
07:09 PM PTIME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 17763.737
September 10, 2019
KB4512578Mitigated September 16, 2019
05:36 PM PTWindows Mixed Reality Portal users may intermittently receive a 15-5 error code
You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not respond to \"wake up\" from sleep.
See details >OS Build 17763.678
August 13, 2019
KB4511553Mitigated September 11, 2019
05:32 PM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 17763.652
July 22, 2019
KB4505658Resolved
KB4511553August 13, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 17763.557
June 11, 2019
KB4503327Resolved
KB4512534August 17, 2019
02:00 PM PTApps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.
See details >OS Build 17763.55
October 09, 2018
KB4464330Investigating August 01, 2019
05:00 PM PTStartup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.
See details >OS Build 17763.557
June 11, 2019
KB4503327Mitigated June 14, 2019
04:41 PM PTDevices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F
See details >OS Build 17763.437
April 09, 2019
KB4493509Mitigated May 03, 2019
10:59 AM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 17763.253
January 08, 2019
KB4480116Mitigated April 09, 2019
10:00 AM PT
+ "
+
+- title: August 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History IME may become unresponsive or have High CPU usage
Back to topOS Build 17763.737
September 10, 2019
KB4512578Mitigated Last updated:
September 16, 2019
05:36 PM PT
Opened:
September 13, 2019
05:25 PM PTWindows Mixed Reality Portal users may intermittently receive a 15-5 error code
Back to topOS Build 17763.678
August 13, 2019
KB4511553Mitigated Last updated:
September 11, 2019
05:32 PM PT
Opened:
September 11, 2019
05:32 PM PT
+ "
+
- title: July 2019
- items:
- type: markdown
text: "
Details Originating update Status History Apps and scripts using the NetQueryDisplayInformation API may fail with error
Back to topOS Build 17763.55
October 09, 2018
KB4464330Investigating Last updated:
August 01, 2019
05:00 PM PT
Opened:
August 01, 2019
05:00 PM PT
"
@@ -103,7 +126,7 @@ sections:
- type: markdown
text: "
Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up
Back to topOS Build 17763.652
July 22, 2019
KB4505658Investigating Last updated:
August 01, 2019
06:12 PM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 17763.557
June 11, 2019
KB4503327Mitigated Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PTDomain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 17763.652
July 22, 2019
KB4505658Resolved
KB4511553Resolved:
August 13, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 17763.557
June 11, 2019
KB4503327Resolved
KB4512534Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index b2ca8f3142..d7af320a1c 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -18,7 +18,7 @@ sections:
- items:
- type: markdown
text: "
- Find information on known issues for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+ Find information on known issues and the status of the rollout for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
Details Originating update Status History Devices with some Asian language packs installed may receive an error
Back to topOS Build 17763.437
April 09, 2019
KB4493509Mitigated Last updated:
May 03, 2019
10:59 AM PT
Opened:
May 02, 2019
04:36 PM PTDevices with some Asian language packs installed may receive an error
Back to topOS Build 17763.437
April 09, 2019
KB4493509Mitigated Last updated:
May 03, 2019
10:59 AM PT
Opened:
May 02, 2019
04:36 PM PT
Current status as of July 16, 2019:
@@ -65,19 +65,22 @@ sections:
- type: markdown
text: "
Summary Originating update Status Last updated IME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 18362.356
September 10, 2019
KB4515384Mitigated September 16, 2019
05:36 PM PTSafeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Microsoft and NEC have found incompatibility issues with some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903.
See details >N/A Mitigated September 13, 2019
05:25 PM PTSome users report issues related to the Start menu and Windows Desktop Search
Microsoft has received reports that a small number of users are having issues related to the Start menu and Windows Desktop Search.
See details >OS Build 18362.356
September 10, 2019
KB4515384Investigating September 13, 2019
05:35 PM PTAudio in games is quiet or different than expected
Microsoft has received reports that audio in certain games is quieter or different than expected.
See details >OS Build 18362.356
September 10, 2019
KB4515384Mitigated September 13, 2019
05:25 PM PTScreenshots and Snips have an unnatural orange tint
Users have reported an orange tint on Screenshots and Snips with the Lenovo Vantage app installed
See details >OS Build 18362.356
September 10, 2019
KB4516115Resolved External September 11, 2019
08:54 PM PTWindows Desktop Search may not return any results and may have high CPU usage
Windows Desktop Search may not return any results and SearchUI.exe may have high CPU usage after installing KB4512941.
See details >OS Build 18362.329
August 30, 2019
KB4512941Resolved
KB4515384September 10, 2019
10:00 AM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941August 30, 2019
10:00 AM PTIssues updating when certain versions of Intel storage drivers are installed
Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.
See details >OS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941August 30, 2019
10:00 AM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
See details >OS Build 18362.295
August 13, 2019
KB4512508Resolved
KB4512941August 30, 2019
10:00 AM PTInitiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
See details >OS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941August 30, 2019
10:00 AM PTWindows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
See details >OS Build 18362.116
May 20, 2019
KB4505057Resolved
KB4512941August 30, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 18362.175
June 11, 2019
KB4503293Resolved
KB4512941August 30, 2019
10:00 AM PTUpdates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive an error, \"Updates Failed, There were problems installing some updates, but we'll try again later\" and \"Error 0x80073701.\"
See details >OS Build 18362.145
May 29, 2019
KB4497935Investigating August 16, 2019
04:28 PM PTIntermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.
See details >OS Build 18362.116
May 21, 2019
KB4505057Mitigated External August 01, 2019
08:44 PM PTGamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
See details >OS Build 18362.116
May 21, 2019
KB4505057Mitigated August 01, 2019
06:27 PM PTDomain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
See details >OS Build 18362.145
May 29, 2019
KB4497935Investigating August 01, 2019
06:12 PM PTIssues updating when certain versions of Intel storage drivers are installed
Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.
See details >OS Build 18362.145
May 29, 2019
KB4497935Mitigated External August 01, 2019
05:58 PM PTDisplay brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
See details >OS Build 18362.116
May 21, 2019
KB4505057Resolved
KB4505903July 26, 2019
02:00 PM PTRASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
See details >OS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4505903July 26, 2019
02:00 PM PTThe dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.
See details >OS Build 18362.145
May 29, 2019
KB4497935Investigating July 16, 2019
09:04 AM PTInitiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
See details >OS Build 18362.145
May 29, 2019
KB4497935Investigating July 12, 2019
04:42 PM PTLoss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
See details >OS Build 18362.116
May 20, 2019
KB4505057Resolved July 11, 2019
01:54 PM PTError attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"
See details >OS Build 18362.116
May 21, 2019
KB4505057Resolved July 11, 2019
01:53 PM PTAudio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.
See details >OS Build 18362.116
May 21, 2019
KB4505057Resolved July 11, 2019
01:53 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 18362.175
June 11, 2019
KB4503293Mitigated July 10, 2019
07:09 PM PTWindows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
See details >OS Build 18362.116
May 20, 2019
KB4505057Investigating June 10, 2019
06:06 PM PTUnable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.
See details >OS Build 18362.116
May 21, 2019
KB4505057Mitigated May 21, 2019
04:48 PM PTIntel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain.
See details >OS Build 18362.116
May 21, 2019
KB4505057Mitigated May 21, 2019
04:47 PM PTCannot launch Camera app
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.
See details >OS Build 18362.116
May 21, 2019
KB4505057Mitigated May 21, 2019
04:47 PM PT
+ "
+
+- title: August 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History IME may become unresponsive or have High CPU usage
Back to topOS Build 18362.356
September 10, 2019
KB4515384Mitigated Last updated:
September 16, 2019
05:36 PM PT
Opened:
September 13, 2019
05:25 PM PTSafeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
Back to topN/A Mitigated Last updated:
September 13, 2019
05:25 PM PT
Opened:
September 13, 2019
05:25 PM PTSome users report issues related to the Start menu and Windows Desktop Search
Back to topOS Build 18362.356
September 10, 2019
KB4515384Investigating Last updated:
September 13, 2019
05:35 PM PT
Opened:
September 11, 2019
05:18 PM PTAudio in games is quiet or different than expected
Back to topOS Build 18362.356
September 10, 2019
KB4515384Mitigated Last updated:
September 13, 2019
05:25 PM PT
Opened:
September 13, 2019
05:25 PM PTScreenshots and Snips have an unnatural orange tint
Back to topOS Build 18362.356
September 10, 2019
KB4516115Resolved External Last updated:
September 11, 2019
08:54 PM PT
Opened:
September 11, 2019
08:54 PM PTWindows Desktop Search may not return any results and may have high CPU usage
Back to topOS Build 18362.329
August 30, 2019
KB4512941Resolved
KB4515384Resolved:
September 10, 2019
10:00 AM PT
Opened:
September 04, 2019
02:25 PM PT
+ "
+
- title: July 2019
- items:
- type: markdown
text: "
Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 18362.295
August 13, 2019
KB4512508Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
August 14, 2019
03:34 PM PTUpdates may fail to install and you may receive Error 0x80073701
Back to topOS Build 18362.145
May 29, 2019
KB4497935Investigating Last updated:
August 16, 2019
04:28 PM PT
Opened:
August 16, 2019
01:41 PM PT
- "
-
-- title: June 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Domain connected devices that use MIT Kerberos realms will not start up
Back to topOS Build 18362.145
May 29, 2019
KB4497935Investigating Last updated:
August 01, 2019
06:12 PM PT
Opened:
July 25, 2019
06:10 PM PTIssues updating when certain versions of Intel storage drivers are installed
Back to topOS Build 18362.145
May 29, 2019
KB4497935Mitigated External Last updated:
August 01, 2019
05:58 PM PT
Opened:
July 25, 2019
06:10 PM PTDomain connected devices that use MIT Kerberos realms will not start up HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+
Back to topOS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTIssues updating when certain versions of Intel storage drivers are installed
Back to topOS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PTInitiating a Remote Desktop connection may result in black screen
Back to topOS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 12, 2019
04:42 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 18362.175
June 11, 2019
KB4503293Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 10, 2019
02:51 PM PTThe dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Back to topOS Build 18362.145
May 29, 2019
KB4497935Investigating Last updated:
July 16, 2019
09:04 AM PT
Opened:
July 12, 2019
04:20 PM PTInitiating a Remote Desktop connection may result in black screen
Back to topOS Build 18362.145
May 29, 2019
KB4497935Investigating Last updated:
July 12, 2019
04:42 PM PT
Opened:
July 12, 2019
04:42 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 18362.175
June 11, 2019
KB4503293Mitigated Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
@@ -118,13 +137,9 @@ sections:
- type: markdown
text: "
Details Originating update Status History RASMAN service may stop working and result in the error “0xc0000005”
Back to topOS Build 18362.145
May 29, 2019
KB4497935Resolved
KB4505903Resolved:
July 26, 2019
02:00 PM PT
Opened:
June 28, 2019
05:01 PM PT
"
-- title: April 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Windows Sandbox may fail to start with error code “0x80070002”
Back to topOS Build 18362.116
May 20, 2019
KB4505057Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT
Opened:
May 24, 2019
04:20 PM PTIntermittent loss of Wi-Fi connectivity
Back to topOS Build 18362.116
May 21, 2019
KB4505057Mitigated External Last updated:
August 01, 2019
08:44 PM PT
Opened:
May 21, 2019
07:13 AM PTGamma ramps, color profiles, and night light settings do not apply in some cases
Back to topOS Build 18362.116
May 21, 2019
KB4505057Mitigated Last updated:
August 01, 2019
06:27 PM PT
Opened:
May 21, 2019
07:28 AM PTDisplay brightness may not respond to adjustments
Back to topOS Build 18362.116
May 21, 2019
KB4505057Resolved
KB4505903Resolved:
July 26, 2019
02:00 PM PT
Opened:
May 21, 2019
07:56 AM PTLoss of functionality in Dynabook Smartphone Link app
Back to topOS Build 18362.116
May 20, 2019
KB4505057Resolved Resolved:
July 11, 2019
01:54 PM PT
Opened:
May 24, 2019
03:10 PM PTError attempting to update with external USB device or memory card attached
Back to topOS Build 18362.116
May 21, 2019
KB4505057Resolved Resolved:
July 11, 2019
01:53 PM PT
Opened:
May 21, 2019
07:38 AM PTAudio not working with Dolby Atmos headphones and home theater
Back to topOS Build 18362.116
May 21, 2019
KB4505057Resolved Resolved:
July 11, 2019
01:53 PM PT
Opened:
May 21, 2019
07:16 AM PTWindows Sandbox may fail to start with error code “0x80070002”
Back to topOS Build 18362.116
May 20, 2019
KB4505057Investigating Last updated:
June 10, 2019
06:06 PM PT
Opened:
May 24, 2019
04:20 PM PTUnable to discover or connect to Bluetooth devices
Back to topOS Build 18362.116
May 21, 2019
KB4505057Mitigated Last updated:
May 21, 2019
04:48 PM PT
Opened:
May 21, 2019
07:29 AM PTIntel Audio displays an intcdaud.sys notification
Back to topOS Build 18362.116
May 21, 2019
KB4505057Mitigated Last updated:
May 21, 2019
04:47 PM PT
Opened:
May 21, 2019
07:22 AM PTCannot launch Camera app
Back to topOS Build 18362.116
May 21, 2019
KB4505057Mitigated Last updated:
May 21, 2019
04:47 PM PT
Opened:
May 21, 2019
07:20 AM PT
"
@@ -72,20 +74,30 @@ sections:
Summary Originating update Status Last updated Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503292Mitigated July 10, 2019
02:59 PM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details >April 09, 2019
KB4493472Mitigated April 25, 2019
02:00 PM PTYou may receive an error when opening or using the Toshiba Qosmio AV Center
Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.
See details >August 13, 2019
KB4512506Investigating September 13, 2019
04:25 PM PTWindows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
See details >August 13, 2019
KB4512506Resolved External August 27, 2019
02:29 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503292Resolved
KB4512514August 17, 2019
02:00 PM PTIA64 and x64 devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
See details >August 13, 2019
KB4512506Mitigated August 17, 2019
12:59 PM PT
+ "
+
+- title: August 2019
+- items:
+ - type: markdown
+ text: "
+ Details Originating update Status History You may receive an error when opening or using the Toshiba Qosmio AV Center
Back to topAugust 13, 2019
KB4512506Investigating Last updated:
September 13, 2019
04:25 PM PT
Opened:
September 10, 2019
09:48 AM PT
+ "
+
- title: July 2019
- items:
- type: markdown
text: "
Details Originating update Status History Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Back to topAugust 13, 2019
KB4512506Resolved External Last updated:
August 27, 2019
02:29 PM PT
Opened:
August 13, 2019
10:05 AM PTIA64 and x64 devices may fail to start after installing updates
Back to topAugust 13, 2019
KB4512506Mitigated Last updated:
August 17, 2019
12:59 PM PT
Opened:
August 13, 2019
08:34 AM PT
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503292Mitigated Last updated:
July 10, 2019
02:59 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index 36e559e6aa..57124dd060 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -60,9 +60,9 @@ sections:
- type: markdown
text: "Details Originating update Status History System may be unresponsive after restart with certain McAfee antivirus products
Back to topApril 09, 2019
KB4493472Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503292Resolved
KB4512514Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
@@ -74,12 +74,21 @@ sections:
Summary Originating update Status Last updated Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503276Mitigated July 10, 2019
07:09 PM PTWindows RT 8.1 devices may have issues opening Internet Explorer 11
On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error.
See details >September 10, 2019
KB4516067Investigating September 13, 2019
05:25 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503276Resolved
KB4512478August 17, 2019
02:00 PM PTJapanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details >April 25, 2019
KB4493443Mitigated May 15, 2019
05:53 PM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details >April 09, 2019
KB4493446Mitigated April 18, 2019
05:00 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details >January 08, 2019
KB4480963Mitigated April 25, 2019
02:00 PM PT
+ "
+
- title: July 2019
- items:
- type: markdown
text: "
Details Originating update Status History Windows RT 8.1 devices may have issues opening Internet Explorer 11
Back to topSeptember 10, 2019
KB4516067Investigating Last updated:
September 13, 2019
05:25 PM PT
Opened:
September 13, 2019
05:25 PM PT
"
@@ -92,15 +101,6 @@ sections:
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503276Mitigated Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503276Resolved
KB4512478Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
- "
-
- title: January 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
index f3d9d5d69b..92caeeca25 100644
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -60,7 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History System may be unresponsive after restart with certain McAfee antivirus products
Back to topApril 09, 2019
KB4493446Mitigated Last updated:
April 18, 2019
05:00 PM PT
Opened:
April 09, 2019
10:00 AM PT
"
@@ -76,6 +76,6 @@ sections:
- type: markdown
text: "
Summary Originating update Status Last updated Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503273Mitigated July 10, 2019
02:59 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503273Resolved
KB4512499August 17, 2019
02:00 PM PT
"
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index 55b84c6427..53d71fb08e 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -60,7 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503273Mitigated Last updated:
July 10, 2019
02:59 PM PT
Opened:
July 10, 2019
02:51 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503273Resolved
KB4512499Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
@@ -78,7 +78,7 @@ sections:
- type: markdown
text: "
Summary Originating update Status Last updated Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503285Mitigated July 10, 2019
07:09 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503285Resolved
KB4512512August 17, 2019
02:00 PM PTJapanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details >April 25, 2019
KB4493462Mitigated May 15, 2019
05:53 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details >January 08, 2019
KB4480975Mitigated April 25, 2019
02:00 PM PT
"
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index c7a8b5e2d7..531c4806b0 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -1,11 +1,11 @@
### YamlMime:YamlDocument
documentType: LandingData
-title: Windows 10 message center
+title: Windows message center
metadata:
document_id:
- title: Windows 10 message center
- description: Windows 10 message center
+ title: Windows message center
+ description: Windows message center
keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories
ms.localizationpriority: high
author: greg-lindsay
@@ -50,6 +50,18 @@ sections:
text: "
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503285Mitigated Last updated:
July 10, 2019
07:09 PM PT
Opened:
July 10, 2019
02:51 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503285Resolved
KB4512512Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
>[!NOTE]
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index 7a321fae6b..958ab7847d 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index dc97c95d0d..5a8333cab2 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 08a7fe11e3..76ea17db0e 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -17,6 +17,7 @@
### [Attack surface reduction]()
+#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
@@ -27,10 +28,10 @@
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+#### [Network protection](microsoft-defender-atp/network-protection.md)
+#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
+#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
@@ -58,46 +59,43 @@
#### [Machines list]()
##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
-##### [Alerts related to this machine](microsoft-defender-atp/investigate-machines.md#alerts-related-to-this-machine)
-##### [Machine timeline]()
-###### [View machine profile](microsoft-defender-atp/investigate-machines.md#machine-timeline)
-###### [Search for specific events](microsoft-defender-atp/investigate-machines.md#search-for-specific-events)
-###### [Filter events from a specific date](microsoft-defender-atp/investigate-machines.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](microsoft-defender-atp/investigate-machines.md#export-machine-timeline-events)
-###### [Navigate between pages](microsoft-defender-atp/investigate-machines.md#navigate-between-pages)
#### [Take response actions]()
##### [Take response actions on a machine]()
###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
+###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
+###### [Initiate Automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
+###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-###### [Remove app restriction](microsoft-defender-atp/respond-machine-alerts.md#remove-app-restriction)
###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
-###### [Release machine from isolation](microsoft-defender-atp/respond-machine-alerts.md#release-machine-from-isolation)
-####### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
+###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
+###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
##### [Take response actions on a file]()
###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-###### [Remove file from quarantine](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-quarantine)
-###### [Block files in your network](microsoft-defender-atp/respond-file-alerts.md#block-files-in-your-network)
-###### [Remove file from blocked list](microsoft-defender-atp/respond-file-alerts.md#remove-file-from-blocked-list)
+###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
+###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
+###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
+###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
-####### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
+###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
+
##### [Investigate entities using Live response]()
###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
-######[Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
+###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Automated investigation and remediation]()
#### [Automated investigation and remediation overview](microsoft-defender-atp/automated-investigations.md)
#### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
-#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
+##### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
### [Secure score](microsoft-defender-atp/overview-secure-score.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
@@ -105,40 +103,39 @@
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
+#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
+#### [Advanced hunting schema reference]()
+##### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
+##### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
+##### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
+##### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
+##### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
+##### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
+##### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
+##### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
+##### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
+##### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
+##### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
+#### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-##### [Advanced hunting schema reference]()
-###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
-###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
-###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
-###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
-###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
-###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
-###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
-###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
-###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
-###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
-###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
-
-##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Custom detections]()
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
##### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
-#### [Management and APIs]()
-##### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
-##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
-##### [Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
-##### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)
+### [Management and APIs]()
+#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
+#### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
+#### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)
-#### [Integrations]()
-##### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
-##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
-##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
+### [Integrations]()
+#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
+#### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
+#### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
-#### [Information protection in Windows overview]()
-##### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
-##### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
+### [Information protection in Windows overview]()
+#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
+#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
@@ -162,37 +159,27 @@
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-##### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
-##### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
-##### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
-##### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
+##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
+##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
## [Configure and manage capabilities]()
+
### [Configure attack surface reduction]()
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
-### [Configure and manage capabilities](microsoft-defender-atp/onboard.md)
-#### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
-##### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
-###### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
-###### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
-###### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
-###### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
-##### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
-##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
-##### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
-##### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
-#### [Hardware-based isolation]()
-##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+### [Hardware-based isolation]()
+#### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-##### [Application isolation]()
-###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-###### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+#### [Application isolation]()
+##### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
#### [Device control]()
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
@@ -201,24 +188,29 @@
###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
###### [Memory integrity]()
-####### [Understand memory integrity](windows-defender-exploit-guard/memory-integrity.md)
-####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+####### [Understand memory integrity](device-guard/memory-integrity.md)
+####### [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### [Exploit protection]()
-##### [Enable exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
-##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
+##### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
-#### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
-#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+#### [Network protection](microsoft-defender-atp/enable-network-protection.md)
+#### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
#### [Attack surface reduction controls]()
-##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
+##### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
+
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+
+
+
### [Configure next generation protection]()
#### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+
#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
##### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
##### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
@@ -309,6 +301,21 @@
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md)
+#### [Deploy Microsoft Defender Advanced Threat Protection for Mac]()
+##### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md)
+##### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md)
+##### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md)
+##### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
+#### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
+#### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
+#### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
+#### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
+
+
+
+
### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
@@ -331,6 +338,8 @@
##### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
##### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
##### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
+##### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
+
##### [Troubleshoot onboarding issues]()
###### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
@@ -394,7 +403,6 @@
####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
-####### [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md)
###### [File]()
####### [File methods and properties](microsoft-defender-atp/files.md)
@@ -405,9 +413,7 @@
###### [IP]()
####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
-####### [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md)
####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
-####### [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md)
###### [User]()
####### [User methods](microsoft-defender-atp/user.md)
@@ -415,15 +421,10 @@
####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
##### [How to use APIs - Samples]()
-###### [Advanced Hunting API]()
-####### [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md)
-####### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
-####### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
-####### [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
-
-###### [Multiple APIs]()
-####### [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md)
-
+###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
+###### [Power BI](microsoft-defender-atp/api-power-bi.md)
+###### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
+###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
#### [Windows updates (KB) info]()
@@ -433,7 +434,6 @@
##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
#### [API for custom alerts (Deprecated)]()
-##### [Enable the custom threat intelligence application (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
##### [Use the threat intelligence API to create custom alerts (Deprecated)](microsoft-defender-atp/use-custom-ti.md)
##### [Create custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/custom-ti-api.md)
##### [PowerShell code examples (Deprecated)](microsoft-defender-atp/powershell-example-code.md)
@@ -441,13 +441,13 @@
##### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md)
##### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md)
-#### [Pull alerts to your SIEM tools]()
-##### [Learn about different ways to pull alerts](microsoft-defender-atp/configure-siem.md)
+#### [Pull detections to your SIEM tools]()
+##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-##### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk.md)
-##### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight.md)
-##### [Microsoft Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping.md)
-##### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
+##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
+##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
+##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
+##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Reporting]()
@@ -481,6 +481,7 @@
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
### [Configure portal settings]()
+#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
#### [General]()
##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
@@ -501,7 +502,6 @@
#### [Rules]()
##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
-##### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list.md)
##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
@@ -510,7 +510,7 @@
##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
-#### [Configure Windows Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
+#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
## [Troubleshoot Microsoft Defender ATP]()
@@ -529,8 +529,8 @@
#### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
### [Troubleshoot attack surface reduction]()
-#### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
-#### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
+#### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
+#### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
@@ -1049,7 +1049,7 @@
###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
-###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
+###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 8896c08c25..ad2a9abf62 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -3,13 +3,13 @@ title: Advanced security audit policy settings (Windows 10)
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -65,7 +65,7 @@ Detailed Tracking security policy settings and audit events can be used to monit
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
- [Audit Credential Validation](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-credential-validation)
- > **Note:** For more information, see [Security Monitoring](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/)
+- [Audit Token Right Adjusted](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-token-right-adjusted)
## DS Access
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
index c0611c6e06..99b8a989c4 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
@@ -3,13 +3,13 @@ title: Advanced security auditing FAQ (Windows 10)
description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index 63485f34ef..9270164aec 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -3,13 +3,13 @@ title: Advanced security audit policies (Windows 10)
description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index f416edda8c..d212b266b1 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -6,11 +6,11 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
---
# Appendix A: Security monitoring recommendations for many audit events
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index c5c5466214..e559dc6001 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -3,13 +3,13 @@ title: Apply a basic audit policy on a file or folder (Windows 10)
description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -39,6 +39,26 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- To audit failure events, click **Fail.**
- To audit all events, click **All.**
+
+
+6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include:
+
+ - **This folder only**
+ - **This folder, subfolders and files**
+ - **This folder and subfolders**
+ - **This folder and files**
+ - **Subfolders and files only**
+ - **Subfolders only**
+ - **Files only**
+
+7. By default, the selected **Basic Permissions** to audit are the following:
+ - **Read and execute**
+ - **List folder contents**
+ - **Read**
+ - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination.
+
+
+
> **Important:** Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
## Additional considerations
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index dcd17c9695..34e1304ce4 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 07/16/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index e880c6b05b..72a5aecec7 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 870ef553dd..96f7a50301 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index f8d37dcdaa..8f4d1d0d23 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 0171ab438c..8020663eb5 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes this Advanced Security
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index 329e7259b8..af4339ce53 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index a9c4011dab..061105bbac 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index 1dd10ad26a..4214420b03 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index 1425e2cb70..d0d902a868 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index 68b0305d77..feac5d138b 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index 93757103e6..2b345207d2 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 6d6e5b0095..41ed83320d 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index a56a269acd..ae15d23652 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index 8fc975671d..4110cd1ec6 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index 6580b8f311..06737f9521 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 83d36fa376..0c779c954f 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 3efd600fab..835e1fd7f3 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index ed86354e2b..512ae2084a 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index 6f97bd7fdd..fe21575b2b 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index 187040144e..734f231b24 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index e37ee47f16..b953cf56c0 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 95457601-68d1-4385-af20-87916ddab906
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index 6cd117429a..c82bbebd49 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index 7af1da773b..18b2e9556d 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index 4f4f0616af..3802d34249 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index 6b69b8a282..0f0a9fa7b5 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 10/02/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index 27e7cf7591..af3502ddce 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 10/02/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index 84c5eda210..d4aa3ebf77 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 10/02/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 9f081e8e45..54e46c85cd 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 10/02/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index 995bf11ffc..d28314643d 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index 4e685381b1..f8bacdd852 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index f4c965ec52..44049a109f 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index 3ff2570d46..45e9abeb45 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 07/16/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index a1fa633cae..3742607eba 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index f756f7d9b5..25e29659e8 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index cc023326da..6d7eaac005 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index 309f195d7d..f1227802bd 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index 218e662e92..edbcb2555d 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index a52ff0d042..cd054ab132 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index 77527e8253..b10a5106ba 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index d9513980da..3bfc786df1 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 05/29/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index 2690694166..e156529bf1 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index bbe45925d3..e13d22c6e3 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -4,13 +4,13 @@ description: This security policy setting is not used.
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index 66a05eb6c1..839166429b 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index cc7a689b7c..6e2ce1aa93 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index 0868fa7fe7..8532644095 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index 5bf90b6f6a..3943542ccf 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index 4db7d65686..fe4cd66839 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index f35a441ef8..96314fa0bd 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index 1a4b0dbfbc..f35fb87e98 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 2a7efe94ec..31d65aafb1 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index 91aef3a375..710f45b4ae 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 02/28/2019
---
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index ac8fcf4c32..f002a9938a 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index 97c9f853c7..3d2beb88d0 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index c099b898d6..ac5edaec4a 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index faa994ab12..cae080c72b 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index df2120830a..606b78493e 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the Advanced Security
ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
new file mode 100644
index 0000000000..a4fb47fef4
--- /dev/null
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -0,0 +1,27 @@
+---
+title: Audit Token Right Adjusted (Windows 10)
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
+---
+
+# Audit Token Right Adjusted
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
+
+For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/).
+
+| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.Message Date Plan for change: End of service reminders for Windows 10, versions 1703 and 1803 September 13, 2019
03:23 PM PTSeptember 2019 security update available for all supported versions of Windows September 10, 2019
09:34 AM PTStatus update: Windows 10, version 1903 \"D\" optional release available August 30th August 30, 2019
08:00 AM PTFeature update install notification on Windows 10, version 1809 (the October 2018 Update) August 29, 2019
04:39 PM PTTake Action: Internet Explorer 11 now available on Windows Update/WSUS for Windows Server 2012 and Windows Embedded 8 Standard August 29, 2019
08:00 AM PTTake action: SHA-2 code signing support guidance for Windows 7 SP1 and Windows Server 2008 RS2 SP1 August 23, 2019
03:35 PM PTTake action: Windows 10, version 1703 (the Windows 10 Creators Update) reaches end of life on October 9, 2019 August 23, 2019
02:17 PM PTResolved: Delays starting Internet Explorer 11 August 16, 2019
04:00 PM PTAugust 2019 security update now available for Windows 10, version 1903 and all supported versions of Windows August 13, 2019
10:00 AM PTAdvisory: Bluetooth encryption key size vulnerability disclosed (CVE-2019-9506) August 13, 2019
10:00 AM PTAdvisory: Windows Advanced Local Procedure Call Elevation of Privilege vulnerability disclosed (CVE-2019-1162) August 13, 2019
10:00 AM PTTake action: Windows 10, version 1803 (the April 2018 Update) reaches end of service on November 12, 2019 August 13, 2019
10:00 AM PTAdvisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125) August 06, 2019
10:00 AM PTResolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons August 01, 2019
02:00 PM PTStatus update: Windows 10, version 1903 “D” release now available July 26, 2019
02:00 PM PTReminder: Windows 10 update servicing cadence
For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.May 10, 2019
10:00 AM PT
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName *, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName * (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
+| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
| S-1-5-8| Proxy| Does not currently apply: this SID is not used.|
| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.|
| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.|
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
index bc865d734c..111f5d902d 100644
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ b/windows/security/identity-protection/access-control/security-principals.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
audience: ITPro
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
index cd289738ae..bc52668527 100644
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ b/windows/security/identity-protection/access-control/service-accounts.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
audience: ITPro
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 978d72142a..48f324427e 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
audience: ITPro
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
@@ -255,7 +255,7 @@ The Network Service account is similar to an Authenticated User account. The Net
| Well-Known SID/RID | S-1-5-20 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
|
+|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
|
## NTLM Authentication
diff --git a/windows/security/identity-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md
index 5244518021..954dd6020d 100644
--- a/windows/security/identity-protection/change-history-for-access-protection.md
+++ b/windows/security/identity-protection/change-history-for-access-protection.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
audience: ITPro
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index daccf69649..8e823b08e6 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
audience: ITPro
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index c67ea0ab51..63a6a403c2 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
@@ -71,7 +71,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t
**Enrolling devices in a certificate**
Run the following command:
-``` syntax
+```powershell
CertReq -EnrollCredGuardCert MachineAuthentication
```
@@ -87,7 +87,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
From a Windows PowerShell command prompt, run the following command:
- ``` syntax
+ ```powershell
.\get-IssuancePolicy.ps1 –LinkedToGroup:All
```
@@ -96,7 +96,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
From a Windows PowerShell command prompt, run the following command:
- ``` syntax
+ ```powershell
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
-## Where is Microsoft Hello data stored?
+## Where is Windows Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.
## Has Microsoft set any device requirements for Windows Hello?
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 60e829af0c..4563787217 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -38,7 +38,7 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
-## Update Windows Server 2016
+## Update Windows Server 2016
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
deleted file mode 100644
index 30b809ce8c..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ /dev/null
@@ -1,549 +0,0 @@
----
-title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business)
-description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Configure or Deploy Multifactor Authentication Services
-
-**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Certificate trust
-
-
-On-premises deployments must use an on-premises MFA Server that provides an AD FS Multifactor authentication adapter. It can be an Azure Multi-Factor Authentication Server or a third-party MFA solution.
-
->[!TIP]
->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further.
-
-## Prerequisites
-
-The Azure MFA Server and User Portal servers have several prerequisites and must have connectivity to the Internet.
-
-### Primary MFA Server
-
-The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
-
-For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
-
-The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched.
-
-#### Enroll for Server Authentication
-
-The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate.
-
-Sign-in the primary MFA server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished.
-9. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
-
-To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
-
-The following services are required:
-* Common Parameters > Default Document.
-* Common Parameters > Directory Browsing.
-* Common Parameters > HTTP Errors.
-* Common Parameters > Static Content.
-* Health and Diagnostics > HTTP Logging.
-* Performance > Static Content Compression.
-* Security > Request Filtering.
-* Security > Basic Authentication.
-* Management Tools > IIS Management Console.
-* Management Tools > IIS 6 Management Compatibility.
-* Application Development > ASP.NET 4.5.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Configure the IIS Server Certificate
-
-The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
-
-Sign in the primary MFA server with _administrator_ equivalent credentials.
-1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console
-2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**.
-3. In the **Actions** pane, click **Bindings**.
-4. In the **Site Bindings** dialog, Click **Add**.
-5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer.
-6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**.
-
-#### Configure the Web Service’s Security
-
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the **Phonefactor Admins** security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the **Phonefactor Admins** security group.
-
-Sign in the domain controller with _domain administrator_ equivalent credentials.
-
-##### Create Phonefactor Admin group
-
-1. Open **Active Directory Users and Computers**
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**.
-3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name.
-4. Click **OK**.
-
-##### Add accounts to the Phonefactor Admins group
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**.
-3. Click the **Members** tab.
-4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc).
-* Confirm the host has all the available updates from Windows Update.
-* Confirm you bound the server authentication certificate to the IIS web site.
-* Confirm you created the Phonefactor Admins group.
-* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal.
-
-### User Portal Server
-
-The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design.
-
-#### Enroll for Server Authentication
-
-Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers.
-
-For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server.
-
-Sign-in the User Portal server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com).
-9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com).
-10. Click **Add**. Click **OK** when finished.
-11. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Set the IIS Server Certificate
-
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server-certificate) section.
-
-#### Create WebServices SDK user account
-
-The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_\The AIK certificate is no longer valid
Sign out and then sign in again.
-
- 0x801C044D
+
+
+0x801C03F2
+Windows Hello key registration failed.
+ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to Duplicate Attributes Prevent Dirsync.
+
+
-0x801C044D
Unable to obtain user token
Sign out and then sign in again. Check network and credentials.
+
+ 0x801C044E
Failed to receive user creds input
Sign out and then sign in again.
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
index d1ba25aae2..0cfbf47cc6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -22,7 +22,7 @@ ms.reviewer:
- Windows 10
## What about virtual smart cards?
-Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future but not date at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends new Windows 10 deployments to use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8.
+Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends new Windows 10 deployments to use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8.
## What about convenience PIN?
Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
@@ -45,7 +45,7 @@ The statement "PIN is stronger than Password" is not directed at the strength of
The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
## Can I use a convenience PIN with Azure AD?
-It is currently possible to set a convience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises only Domain Joined users and local account users.
+It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises only Domain Joined users and local account users.
## Can I use an external camera when my laptop is closed or docked?
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
@@ -80,7 +80,7 @@ If your environment uses Microsoft Intune, you need these additional URLs:
- portal.manage.microsoft.com
## What is the difference between non-destructive and destructive PIN reset?
-Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provided a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user does not delete the current credential and obtain a new one. Read [PIN Reset](hello-features.md#pin-reset) from our [Windows Hello for Business Features](hello-features.md) page for more information.
+Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provided a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user does not delete the current credential and obtain a new one. Read [PIN Reset](hello-feature-pin-reset.md) page for more information.
Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. with destructive PIN reset, users that have forgotten their PIN can authenticate using their password, perform a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
new file mode 100644
index 0000000000..4b08f7b6f1
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -0,0 +1,45 @@
+---
+title: Conditional Access
+description: Conditional Access
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+audience: ITPro
+author: mapalko
+ms.author: mapalko
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+localizationpriority: medium
+ms.date: 09/09/2019
+ms.reviewer:
+---
+
+# Conditional access
+
+**Requirements:**
+
+* Azure Active Directory
+* Hybrid Windows Hello for Business deployment
+
+In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, applications, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS applications, IT professionals are faced with two opposing goals:
+
+* Empower the end users to be productive wherever and whenever
+* Protect the corporate assets at any time
+
+To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
+
+Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
+
+## Related topics
+
+* [Windows Hello for Business](hello-identity-verification.md)
+* [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+* [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+* [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+* [Windows Hello and password changes](hello-and-password-changes.md)
+* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
new file mode 100644
index 0000000000..1db3c21e10
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -0,0 +1,90 @@
+---
+title: Dual Enrollment
+description: Dual Enrollment
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, dual enrollment,
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+audience: ITPro
+author: mapalko
+ms.author: mapalko
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+localizationpriority: medium
+ms.date: 09/09/2019
+ms.reviewer:
+---
+
+# Dual Enrollment
+
+**Requirements**
+
+* Hybrid and On-premises Windows Hello for Business deployments
+* Enterprise Joined or Hybrid Azure joined devices
+* Windows 10, version 1709
+
+> [!NOTE]
+> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature.
+
+> [!IMPORTANT]
+> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
+
+Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
+
+By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
+
+With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
+
+> [!IMPORTANT]
+> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
+
+## Configure Windows Hello for Business Dual Enrollment
+
+In this task you will
+
+* Configure Active Directory to support Domain Administrator enrollment
+* Configure Dual Enrollment using Group Policy
+
+### Configure Active Directory to support Domain Administrator enrollment
+
+The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
+
+Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.
+```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```
+where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
+```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
+2. To trigger security descriptor propagation, open **ldp.exe**.
+3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
+4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user.
+5. Click **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**. Click **Enter** to add this to the **Entry List**.
+6. Click **Run** to start the task.
+7. Close LDP.
+
+### Configuring Dual Enrollment using Group Policy
+
+You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
+
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
+2. Edit the Group Policy object from step 1.
+3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
+5. Restart computers targeted by this Group Policy object.
+
+The computer is ready for dual enrollment. Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
+
+## Related topics
+
+* [Windows Hello for Business](hello-identity-verification.md)
+* [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+* [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+* [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+* [Windows Hello and password changes](hello-and-password-changes.md)
+* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
new file mode 100644
index 0000000000..62304559ae
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -0,0 +1,68 @@
+---
+title: Conditional Access
+description: Conditional Access
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+audience: ITPro
+author: mapalko
+ms.author: mapalko
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+localizationpriority: medium
+ms.date: 09/09/2019
+ms.reviewer:
+---
+
+# Dynamic lock
+
+**Requirements:**
+
+* Windows 10, version 1703
+
+Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
+
+The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
+
+```
+
+
+3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
+
+
+### Configure Windows devices to use PIN reset using Group Policy
+
+You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
+
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
+2. Edit the Group Policy object from step 1.
+3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
+
+### Configure Windows devices to use PIN reset using Microsoft Intune
+
+To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
+
+#### Create a PIN Reset Device configuration profile using Microsoft Intune
+
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
+2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
+
+ ```
+ dsregcmd /status | findstr -snip "tenantid"
+ ```
+
+1. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
+1. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list.
+1. In the **Custom OMA-URI Settings** blade, Click **Add**.
+1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
+1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
+1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile.
+
+#### Assign the PIN Reset Device configuration profile using Microsoft Intune
+
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
+2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
+3. In the device configuration profile, click **Assignments**.
+4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
+
+## On-premises Deployments
+
+**Requirements**
+
+* Active Directory
+* On-premises Windows Hello for Business deployment
+* Reset from settings - Windows 10, version 1703, Professional
+* Reset above Lock - Windows 10, version 1709, Professional
+
+On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business.
+
+>[!IMPORTANT]
+>Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs.
+
+### Reset PIN from Settings
+
+1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
+2. Open **Settings**, click **Accounts**, click **Sign-in options**.
+3. Under **PIN**, click **I forgot my PIN** and follow the instructions.
+
+#### Reset PIN above the Lock Screen
+
+ 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
+ 2. Enter your password and press enter.
+ 3. Follow the instructions provided by the provisioning process
+ 4. When finished, unlock your desktop using your newly created PIN.
+
+>[!NOTE]
+> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
new file mode 100644
index 0000000000..981587e970
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -0,0 +1,74 @@
+---
+title: Remote Desktop
+description: Remote Desktop
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+audience: ITPro
+author: mapalko
+ms.author: mapalko
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+localizationpriority: medium
+ms.date: 09/09/2019
+ms.reviewer:
+---
+
+# Remote Desktop
+
+**Requirements**
+
+- Windows 10
+- Certificate trust deployments
+- Hybrid and On-premises Windows Hello for Business deployments
+- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
+- Certificate trust deployments
+
+Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.
+
+Microsoft continues to investigate supporting this feature for key trust deployments in a future release.
+
+## Remote Desktop with Biometrics
+
+**Requirements**
+
+- Hybrid and On-premises Windows Hello for Business deployments
+- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
+- Certificate trust deployments
+- Biometric enrollments
+- Windows 10, version 1809
+
+Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
+
+### How does it work
+
+Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
+
+A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key).
+
+This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
+
+Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN.
+
+### Compatibility
+
+Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
+
+
+
+> [!IMPORTANT]
+> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index 1a029f2dc9..83a4dc444e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -20,247 +20,17 @@ ms.date: 05/05/2018
# Windows Hello for Business Features
**Applies to:**
-- Windows 10
-Consider these additional features you can use after your organization deploys Windows Hello for Business.
+- Windows 10
-- [Conditional access](#conditional-access)
-- [Dynamic lock](#dynamic-lock)
-- [PIN reset](#pin-reset)
-- [Dual Enrollment](#dual-enrollment)
-- [Remote Desktop with Biometrics](#remote-desktop-with-biometrics)
+Consider these additional features you can use after your organization deploys Windows Hello for Business.
-## Conditional access
-
-**Requirements:**
-* Azure Active Directory
-* Hybrid Windows Hello for Business deployment
-
-
-In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, applications, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS applications, IT professionals are faced with two opposing goals:+
-* Empower the end users to be productive wherever and whenever
-* Protect the corporate assets at any time
-
-To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
-
-Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
-
-## Dynamic lock
-
-**Requirements:**
-* Windows 10, version 1703
-
-Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
-
-The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
-
->[!IMPORTANT]
->Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
-
-```
-
-
-3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications**, **All applications** blade.
-
-
-#### Configure Windows devices to use PIN reset using Group Policy
-You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
-
-1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
-2. Edit the Group Policy object from step 1.
-3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
-4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
-
-#### Configure Windows devices to use PIN reset using Microsoft Intune
-To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
-
-##### Create a PIN Reset Device configuration profile using Microsoft Intune
-
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
-2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
- ```
- dsregcmd /status | findstr -snip "tenantid"
- ```
-3. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
-4. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list.
-5. In the **Custom OMA-URI Settings** blade, Click **Add**.
-6. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
-7. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
-8. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile.
-
-##### Assign the PIN Reset Device configuration profile using Microsoft Intune
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
-2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
-3. In the device configuration profile, click **Assignments**.
-4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
-
-### On-premises Deployments
-
-** Requirements**
-* Active Directory
-* On-premises Windows Hello for Business deployment
-* Reset from settings - Windows 10, version 1703, Professional
-* Reset above Lock - Windows 10, version 1709, Professional
-
-On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business.
-
->[!IMPORTANT]
->Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs.
-
-#### Reset PIN from Settings
-1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
-2. Open **Settings**, click **Accounts**, click **Sign-in options**.
-3. Under **PIN**, click **I forgot my PIN** and follow the instructions.
-
-#### Reset PIN above the Lock Screen
- 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
- 2. Enter your password and press enter.
- 3. Follow the instructions provided by the provisioning process
- 4. When finished, unlock your desktop using your newly created PIN.
-
->[!NOTE]
-> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
-
-## Dual Enrollment
-
-**Requirements**
-* Hybrid and On-premises Windows Hello for Business deployments
-* Enterprise Joined or Hybrid Azure joined devices
-* Windows 10, version 1709
-
-> [!NOTE]
-> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature.
-
-> [!IMPORTANT]
-> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
-
-Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
-
-By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
-
-With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
-
-> [!IMPORTANT]
-> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
-
-### Configure Windows Hello for Business Dual Enroll
-In this task you will
-- Configure Active Directory to support Domain Administrator enrollment
-- Configure Dual Enrollment using Group Policy
-
-#### Configure Active Directory to support Domain Administrator enrollment
-The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
-
-Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
-
-Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
-
-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.
-```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```
-where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
-```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
-2. To trigger security descriptor propagation, open **ldp.exe**.
-3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
-4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user.
-5. Click **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**. Click **Enter** to add this to the **Entry List**.
-6. Click **Run** to start the task.
-7. Close LDP.
-
-#### Configuring Dual Enrollment using Group Policy
-You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
-
-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
-2. Edit the Group Policy object from step 1.
-3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
-4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
-5. Restart computers targeted by this Group Policy object.
-
-The computer is ready for dual enrollment. Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
-
-## Remote Desktop with Biometrics
-
-> [!Warning]
-> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-**Requirements**
-- Hybrid and On-premises Windows Hello for Business deployments
-- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
-- Certificate trust deployments
-- Biometric enrollments
-- Windows 10, version 1809
-
-Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
-
-> [!IMPORTANT]
-> The remote desktop with biometrics feature only works with certificate trust deployments. The feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Microsoft continues to investigate supporting this feature for key trust deployments.
-
-### How does it work
-It start with creating cryptographic keys. Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
-
-A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key).
-
-This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
-
-Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN.
-
-### Compatibility
-Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
-
-
-
-> [!IMPORTANT]
-> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.\
+- [Conditional Access](hello-feature-conditional-access.md)
+- [Dual Enrollment](hello-feature-dual-enrollment.md)
+- [Dynamic lock](hello-feature-dynamic-lock.md)
+- [Multifactor Unlock](feature-multifactor-unlock.md)
+- [PIN Reset](hello-feature-pin-reset.md)
+- [Remote Desktop](hello-feature-remote-desktop.md)
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 9a2711dc1c..c876fbd351 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -32,6 +32,8 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
[Domain joined provisioning in an On-premises Certificate Trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
+> [!NOTE]
+> The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration.
## Azure AD joined provisioning in a Managed environment
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 26b5607798..f32db55329 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -71,7 +71,7 @@ Azure AD Join is intended for organizations that desire to be cloud-first or clo
[Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
### More information
- - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction).
+- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction).
[Return to Top](hello-how-it-works-technology.md)
## Azure AD Registered
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 847bbfdf0e..d1c11a2a8c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -309,13 +309,13 @@ Sign-in a workstation with access equivalent to a _domain user_.
11. Select the appropriate configuration for the following settings.
- * **Lowercase letters in PIN**
- * **Uppercase letters in PIN**
- * **Special characters in PIN**
- * **PIN expiration (days)**
- * **Remember PIN history**
- > [!NOTE]
- > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+ * **Lowercase letters in PIN**
+ * **Uppercase letters in PIN**
+ * **Special characters in PIN**
+ * **PIN expiration (days)**
+ * **Remember PIN history**
+ > [!NOTE]
+ > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
13. Select **No** to **Allow phone sign-in**. This feature has been deprecated.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 2fc0996eb0..5136ececee 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -79,7 +79,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni
1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
2. Click **Login** and provide Azure credentials
-3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid] is the user principal name of user in Azure Active Directory. Click **Go**
+3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
@@ -535,7 +535,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
-3. Select **Device Configuration**, and then select **Certificate Authority**.
+3. Select **Device Configuration**, and then select **Certificate Connectors**.
4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section.
@@ -610,7 +610,7 @@ Sign-in the NDES server with access equivalent to _domain admin_.
1. Open a command prompt.
2. Type the following command to confirm the NDES Connector's last connection time is current.
-```reg query hklm\software\Micosoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
+```reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
3. Close the command prompt.
4. Open **Internet Explorer**.
5. In the navigation bar, type
@@ -636,7 +636,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
9. Click **Create**.
-### Create a SCEP Certificte Profile
+### Create a SCEP Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
@@ -656,15 +656,16 @@ Sign-in a workstation with access equivalent to a _domain user_.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Select **Custom** from the **Subject name format** list.
12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
-13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
-14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
+13. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
+14. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
+15. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
-15. Under **Extended key usage**, type **Smart Card Logon** under Name. Type **1.3.6.1.4.1.311.20.2.2 under **Object identifier**. Click **Add**.
-16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
+16. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
+17. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
-17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile.
-18. Click **OK**.
-19. Click **Create**.
+18. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+19. Click **OK**.
+20. Click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 1df71e5f3d..433457239a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -196,10 +196,19 @@ In a federated Azure AD configuration, devices rely on Active Directory Federati
Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service.
+When you're using AD FS, you need to enable the following WS-Trust endpoints:
+`/adfs/services/trust/2005/windowstransport`
+`/adfs/services/trust/13/windowstransport`
+`/adfs/services/trust/2005/usernamemixed`
+`/adfs/services/trust/13/usernamemixed`
+`/adfs/services/trust/2005/certificatemixed`
+`/adfs/services/trust/13/certificatemixed`
+
+> [!WARNING]
+> Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust WIndows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**.
+
> [!NOTE]
-> When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**.
->
-> If you don't have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX).
+>If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX).
The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 71517e7da8..cd40458897 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized. You need A
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
+> [!NOTE]
+> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory.
+
### Section Review
> [!div class="checklist"]
> * Azure Active Directory Connect directory synchronization
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 1629f3eb9a..1cf7fcb2cd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -114,7 +114,7 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
-3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**.
+3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 05a4294ad7..80325188e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -26,7 +26,7 @@ ms.reviewer:
## Policy Configuration
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
@@ -151,7 +151,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
#### Use biometrics
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index aa99101b75..0977f9b6a8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -39,7 +39,7 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/)
-Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
+Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index cdc50b7691..1f4f6b976d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -19,11 +19,11 @@ ms.reviewer:
# Hybrid Azure AD joined Key Trust Deployment
**Applies to**
-- Windows 10, version 1703 or later
-- Hybrid deployment
-- Key trust
-
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
+
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
@@ -31,10 +31,11 @@ It is recommended that you review the Windows Hello for Business planning guide
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
## New Deployment Baseline ##
+
The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
-
+
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
-
+
Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
> [!div class="nextstepaction"]
@@ -42,9 +43,8 @@ Your next step is to familiarize yourself with the prerequisites needed for the
-
-
## Follow the Windows Hello for Business hybrid key trust deployment guide
+
1. Overview (*You are here*)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index c38ab35a87..122053e414 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -26,7 +26,7 @@ ms.reviewer:
## Policy Configuration
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 161c10f243..a6364bad59 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -38,7 +38,7 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
-## Update Windows Server 2016
+## Update Windows Server 2016
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
deleted file mode 100644
index b2c377057f..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ /dev/null
@@ -1,549 +0,0 @@
----
-title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business)
-description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Configure or Deploy Multifactor Authentication Services
-
-**Applies to**
-- Windows 10, version 1703 or later
-- On-premises deployment
-- Key trust
-
-
-On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.
-
->[!TIP]
->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further.
-
-## Prerequisites
-
-The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet.
-
-### Primary MFA Server
-
-The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
-
-For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
-
-The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched.
-
-#### Enroll for Server Authentication
-
-The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate.
-
-Sign-in the primary MFA server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished.
-9. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
-
-To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
-
-The following services are required:
-* Common Parameters > Default Document.
-* Common Parameters > Directory Browsing.
-* Common Parameters > HTTP Errors.
-* Common Parameters > Static Content.
-* Health and Diagnostics > HTTP Logging.
-* Performance > Static Content Compression.
-* Security > Request Filtering.
-* Security > Basic Authentication.
-* Management Tools > IIS Management Console.
-* Management Tools > IIS 6 Management Compatibility.
-* Application Development > ASP.NET 4.5.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Configure the IIS Server’s Certificate
-
-The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
-
-Sign in the primary MFA server with _administrator_ equivalent credentials.
-1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console
-2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**.
-3. In the **Actions** pane, click **Bindings**.
-4. In the **Site Bindings** dialog, Click **Add**.
-5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer.
-6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**.
-
-#### Configure the Web Service’s Security
-
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
-
-Sign in the domain controller with _domain administrator_ equivalent credentials.
-
-##### Create Phonefactor Admin group
-
-1. Open **Active Directory Users and Computers**
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**.
-3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name.
-4. Click **OK**.
-
-##### Add accounts to the Phonefactor Admins group
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**.
-3. Click the **Members** tab.
-4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.
- * The computer account for the primary MFA Server
- * Group or user account that will manage the User Portal server.
-
-
-#### Review
-
-Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-
-* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-
-* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc).
-* Confirm the host has all the available updates from Windows Update.
-* Confirm you bound the server authentication certificate to the IIS web site.
-* Confirm you created the Phonefactor Admins group.
-* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal.
-
-### User Portal Server
-
-The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users.
-
-The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design.
-
-#### Enroll for Server Authentication
-
-Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers.
-
-For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server.
-
-Sign-in the User Portal server with _domain admin_ equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com).
-9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com).
-10. Click **Add**. Click **OK** when finished.
-11. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-#### Install the Web Server Role
-
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this.
-
-#### Update the Server
-
-Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated.
-
-#### Configure the IIS Server’s Certificate
-
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-servers-certificate) section.
-
-#### Create WebServices SDK user account
-
-The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
-
-1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
-3. In the **New Object – User** dialog box, type **PFWSDK_\
**Product Name:** Microsoft.Microsoft3DViewer
**App Type:** Universal app |
| Microsoft Edge | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app |
| Microsoft People | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app |
| Word Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app |
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index 78620f0447..f9e51d4cb9 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
index 8205436cc7..5b2d65942a 100644
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index e9ee801003..a01fabb5ce 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index 36a6fbf255..6b736fd281 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
index 9fe48f688d..40ab9e148d 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index 29087982ee..8905cdb7b4 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 246227f7c4..62403b8b81 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -35,7 +35,7 @@ Windows Information Protection (WIP), previously known as enterprise data protec
## Video: Protect enterprise data from being accidentally copied to the wrong place
-> [!Video https://www.microsoft.com/en-us/videoplayer/embed/RE2IGhh]
+> [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
## Prerequisites
You’ll need this software to run WIP in your enterprise:
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index 0852a6c1be..46f40cb732 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -35,6 +35,7 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc
|-----------------------------|---------------------------------------------------------------------|
|Office 365 for Business |
|
|Yammer |
|
+|Outlook Web Access (OWA) |attachments.office.net |
|Microsoft Dynamics |contoso.crm.dynamics.com |
|Visual Studio Online |contoso.visualstudio.com |
|Power BI |contoso.powerbi.com |
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 08af5d2456..d056e573c8 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -172,6 +172,17 @@ You can try any of the processes included in these scenarios, but you should foc
+
Stop Google Drive from syncing WIP protected files and folders.
+
+
+
+
+
However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+
+**Events List:**
+
+- [4703](event-4703.md)(S): A user right was adjusted.
+
+**Event volume**: High.
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index 82f8975fd5..25d5f2620c 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 7877fe6b80..55da915b55 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -4,13 +4,13 @@ description: This topic for the IT professional describes the advanced security
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index 07f239f4d3..f345a84336 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -3,13 +3,13 @@ title: Audit account logon events (Windows 10)
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 3d6f35ef9d..e699a88ac1 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -3,13 +3,13 @@ title: Audit account management (Windows 10)
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index 65f6a0672b..5fcf6e9222 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -3,13 +3,13 @@ title: Audit directory service access (Windows 10)
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index edba7f71a5..5c7672c13a 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -3,13 +3,13 @@ title: Audit logon events (Windows 10)
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index ae6a25d613..438dd850c9 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -3,13 +3,13 @@ title: Audit object access (Windows 10)
description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index a98760482c..b80e5788af 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -3,13 +3,13 @@ title: Audit policy change (Windows 10)
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 4a0ea891c0..a3e7893fe6 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -3,13 +3,13 @@ title: Audit privilege use (Windows 10)
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index c99e882563..4f02eab9a3 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -3,13 +3,13 @@ title: Audit process tracking (Windows 10)
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 6283d5a530..7811de4253 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -3,13 +3,13 @@ title: Audit system events (Windows 10)
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 80170efbf6..1e73acf50d 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -3,13 +3,13 @@ title: Basic security audit policies (Windows 10)
description: Before you implement auditing, you must decide on an auditing policy.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 997ee3cfee..686cdfdc71 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -3,13 +3,13 @@ title: Basic security audit policy settings (Windows 10)
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index a99bb14e40..745c787671 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -3,13 +3,13 @@ title: Create a basic audit policy for an event category (Windows 10)
description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index 5f995bb735..251aa8834c 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -6,11 +6,11 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
---
# 1100(S): The event logging service has shut down.
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index 1edce314ef..c1d44d55e0 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -6,11 +6,11 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
---
# 1102(S): The audit log was cleared.
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index d70f00eeb9..5854f68b90 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -6,11 +6,11 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
---
# 1104(S): The security log is now full.
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index 163c584492..2ca7cca35a 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -30,9 +30,9 @@ There is no example of this event in this document.
***Event Schema:***
-*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. *
+*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.*
-*Number of audit messages discarded: %1 *
+*Number of audit messages discarded: %1*
*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.*
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index be8925c8ba..9231f28b82 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -48,7 +48,7 @@ It appears that this event never occurs.
*LPC Server Port Name:%6*
-*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." *
+*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."*
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index f3c3ed088b..2ca7e8267c 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -138,7 +138,7 @@ This event generates when a logon session is created (on destination machine). I
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
-**Logon Information** \[Version 2\]**: **
+**Logon Information** \[Version 2\]**:**
- **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field.
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index 95a2dfe34f..45dcd000c9 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -142,7 +142,7 @@ Before this event can generate, certain ACEs might need to be set in the object
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 8e1fe42fab..94d84a85cf 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -151,7 +151,7 @@ This event generates every time a new process starts.
- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
-- **Token Elevation Type** \[Type = UnicodeString\]**: **
+- **Token Elevation Type** \[Type = UnicodeString\]**:**
- **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index f9b06a7a3b..f78b83ef3c 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -99,7 +99,7 @@ You will see unique event for every user.
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-**New Right: **
+**New Right:**
- **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index d009b73786..09c240e026 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -99,7 +99,7 @@ You will see unique event for every user.
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-**Removed Right: **
+**Removed Right:**
- **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index 38d46d5ace..c51f51c999 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -100,7 +100,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
- **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index f04223bd5b..13f2c744aa 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were granted to mu
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-**Access Granted: **
+**Access Granted:**
- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index a86f9f5168..9bb398d835 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were removed for m
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-**Access Removed: **
+**Access Removed:**
- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 8597d956a6..faa3dcf853 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -266,7 +266,7 @@ For 4738(S): A user account was changed.
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Display Name**
**User Principal Name**
**Home Directory**
**Home Drive**
**Script Path**
**Profile Path**
**User Workstations**
**Password Last Set**
**Account Expires**
**Primary Group ID
Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. |
| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. |
-| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
+| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
- Consider whether to track the following user account control flags:
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 22ae105d96..b39135ee00 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -276,7 +276,7 @@ For 4742(S): A computer account was changed.
| **Display Name** is not -
**User Principal Name** is not -
**Home Directory** is not -
**Home Drive** is not -
**Script Path** is not -
**Profile Path** is not -
**User Workstations** is not -
**Account Expires** is not -
**Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. |
| **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. |
| **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:
**516** for domain controllers
**521** for read only domain controllers (RODCs)
**515** for servers and workstations (domain computers)
Other values should be monitored. |
-| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
+| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
- Consider whether to track the following account control flags:
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index 74ffbb09b0..efdf01da8a 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -116,7 +116,7 @@ Separate events will be generated for “Registry” and “File system” polic
| Job | Port | FilterConnectionPort | |
| ALPC Port | Semaphore | Adapter | |
-- **Object Name: **
+- **Object Name:**
- Key – if “Registry” Global Object Access Auditing policy was changed.
@@ -128,7 +128,7 @@ Separate events will be generated for “Registry” and “File system” polic
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index e62c824d10..62ced88fe8 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -44,7 +44,7 @@ There is no example of this event in this document.
*Security ID:%7*
-*New Flags:%8 *
+*New Flags:%8*
***Required Server Roles:*** Active Directory domain controller.
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index f74c140ce4..34454c6d14 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -159,7 +159,7 @@ This event doesn't generate for Active Directory objects.
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index cc73362f36..d385a72649 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -152,7 +152,7 @@ Resource attributes for file or folder can be changed, for example, using Window
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index f8dcd9f29b..3be7e9bec3 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -156,7 +156,7 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index 81e6052b16..c7f46521ae 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -141,7 +141,7 @@ This event generates every time network share object was modified.
- **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index 696faaadce..f5ec73669e 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -177,7 +177,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
- ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access.
-> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 4d84e4bb68..c1f8d98680 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -52,7 +52,7 @@ There is no example of this event in this document.
>
> *Layer Name:%9*
>
-> *Layer Run-Time ID:%10 *
+> *Layer Run-Time ID:%10*
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index 25faaeb212..699a093def 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -52,7 +52,7 @@ There is no example of this event in this document.
>
> *Layer Name:%9*
>
-> *Layer Run-Time ID:%10 *
+> *Layer Run-Time ID:%10*
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index 934f310147..9964b6f390 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -24,35 +24,46 @@ By default Windows firewall won't prevent a port from being listened by an appli
You can add your own filters using the WFP APIs to block listen to reproduce this event:
-> *Process ID:%1*
->
-> *Application Name:%2*
-
-*Network Information:*
-
-> *Source Address:%3*
->
-> *Source Port:%4*
->
-> *Protocol:%5*
-
-*Filter Information:*
-
-> *Filter Run-Time ID:%6*
->
-> *Layer Name:%7*
->
-> *Layer Run-Time ID:%8*
+***Event XML:***
+```xml
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+
+
+- **Application Name** \[Type = UnicodeString\]**:** Full path and the name of the executable for the process.
+
+ Logical disk is displayed in the format \\device\\harddiskvolume\#. You can get all local volume numbers by using the **diskpart** utility. The command to get volume numbers using diskpart is “**list volume**”:
+
+
+
+**Network Information:**
+
+- **Source Address** \[Type = UnicodeString\]**:** The local IP address of the computer running the application.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** The port number used by the application.
+
+- **Protocol** \[Type = UInt32\]: the protocol number being used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesn’t match any filters, you will get a 0 value in this field.
+
+ To find a specific Windows Filtering Platform filter by ID, you need to execute the following command: **netsh wfp show filters**. As a result of this command, a **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**), for example:
+
+ 
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**<layerId>**), for example:
+
+
+
## Security Monitoring Recommendations
- If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you can use this event for troubleshooting and monitoring.
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index d018fdee5e..7a379132bc 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -30,7 +30,7 @@ There is no example of this event in this document.
*BranchCache: Received an incorrectly formatted response while discovering availability of content.*
-*IP address of the client that sent this response:%1 *
+*IP address of the client that sent this response:%1*
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 9f647bcec8..1ce4c083dd 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: Received invalid data from a peer. Data discarded. *
+*BranchCache: Received invalid data from a peer. Data discarded.*
*IP address of the client that sent this data:%1*
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 5002d2167c..dde20455d3 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. *
+*BranchCache: The message to the hosted cache offering it data is incorrectly formatted.*
*IP address of the client that sent this message: %1*
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index 29629cb6a7..e8020581ad 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. *
+*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data.*
*Domain name of the hosted cache is:%1*
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index 0505b241b2..43228f26be 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. *
+*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.*
*Domain name of the hosted cache:%1*
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index 8f28ea3891..e1f76dbf69 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
-*BranchCache: A service connection point object could not be parsed. *
+*BranchCache: A service connection point object could not be parsed.*
*SCP object GUID: %1*
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index 99b2a8e507..70362c9d1c 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -10,7 +10,7 @@ ms.mktglfcycl: deploy
ms.pagetype: security
ms.sitesec: library
author: dulcemontemayor
-ms.author: dolmont
+ms.author: dansimp
ms.date: 08/14/2017
ms.localizationpriority: medium
---
@@ -21,7 +21,7 @@ ms.localizationpriority: medium
- Windows 10
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md
index 7c5320ff0d..af17bfed1e 100644
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ b/windows/security/threat-protection/change-history-for-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Change history for [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
ms.reviewer:
-ms.author: dolmont
+ms.author: dansimp
description: This topic lists new and updated topics in the WWindows Defender ATP content set.
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index e8f58439cb..2c39b15201 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -6,43 +6,62 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-ms.author: daniha
-author: danihalfin
-ms.date: 02/22/2019
-ms.reviewer:
+ms.author: dansimp
+author: dansimp
+ms.date: 09/12/2019
+ms.reviewer: dansimp
manager: dansimp
audience: ITPro
---
-# How to control USB devices and other removable media using Windows Defender ATP
+# How to control USB devices and other removable media using Microsoft Defender ATP
-**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
+Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
-1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
- - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
- - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
-
-2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
- - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
+1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
+ - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
+ - The [Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
+ - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
+
+2. [Detect plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
+ - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral:
- - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
- - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
-
-![Create device configuration profile]
-These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
+ - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
+ - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
+>[!Note]
+>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender ATP and Azure Information Protection.
## Prevent threats from removable storage
-Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals.
+Removable storage devices can introduce additional security risk to your organization. Microsoft Defender ATP can help identify and block malicious files on removable storage devices.
-### Enable Windows Defender Antivirus Scanning
+Microsoft Defender ATP can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
-Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
+Note that if you block USB devices or any other device classes using the device installation policies, connected devices, such as phones, can still charge.
+
+>[!NOTE]
+>Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization.
+
+The following table describes the ways Microsoft Defender ATP can help prevent installation and usage of USB peripherals.
+
+For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://aka.ms/devicecontrolblog).
+
+| Control | Description |
+|----------|-------------|
+| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
+| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
+| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
+
+>[!NOTE]
+>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+
+### Enable Windows Defender Antivirus Scanning
+
+Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
@@ -50,37 +69,37 @@ Protecting authorized removable storage with Windows Defender Antivirus requires
>[!NOTE]
>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**.
-
### Block untrusted and unsigned processes on USB peripherals
-End-users might plug in removable devices that are infected with malware.
-To prevent infections, a company can block USB files that are unsigned or untrusted.
-Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
-This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
-With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
+End-users might plug in removable devices that are infected with malware.
+To prevent infections, a company can block USB files that are unsigned or untrusted.
+Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
+This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
+With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
-These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
3. Use the following settings:
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 or later
- - Profile type: Endpoint protection
+ - Name: Type a name for the profile
+ - Description: Type a description
+ - Platform: Windows 10 or later
+ - Profile type: Endpoint protection
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
-5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
+5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
@@ -92,13 +111,13 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks:
-1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
+1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
-
- Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
-2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can:
+ Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
+
+2. On Windows 10 systems that do not support Kernel DMA Protection, you can:
- [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess)
- [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
@@ -107,107 +126,77 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or
To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender Advanced Threat Protection can help prevent installation and usage of USB drives and other peripherals.
-| Control | Description |
-|----------|-------------|
-| Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
-| Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
+ Control | Description
+-|-
+ Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types
+ Prevent installation and usage of USB drives and other peripherals | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types
-All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/en-us/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
+All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
-
+
>[!Note]
>Using Intune, you can apply device configuration policies to AAD user and/or device groups.
-The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
+The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
->[!Note]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
-For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
+> [!Note]
+> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
### Allow installation and usage of USB drives and other peripherals
-One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
+One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
>[!Note]
>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
->1. Enable **prevent installation of devices not described by other policy settings** to all users.
->2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+>
+>1. Enable **prevent installation of devices not described by other policy settings** to all users.
+>2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To enforce the policy for already installed devices, apply the prevent policies that have this setting.
+When configuring the allow device installation policy, you will need to allow all parent attributes as well. You can view the parents of a device by opening device manager and view by connection.
+
+
+
+In this example, the following classes needed to be added: HID, Keyboard, and {36fc9e60-c465-11cf-8056-444553540000}. More information on [Microsoft-provided USB drivers](https://docs.microsoft.com/windows-hardware/drivers/usbcon/supported-usb-classes).
+
+
+
If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example,
-1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
-2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
+1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
+2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
->[!Note]
->How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
+> [!Note]
+> How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
>Using PowerShell: Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
->For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers)
+>For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers)
### Prevent installation and usage of USB drives and other peripherals
-If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
-1. Enable **Prevent installation of devices that match any of these device IDs**.
-2. Enable the **Prevent installation of devices that match these device setup classes policy**.
+If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
->[!Note]
->The prevent device installation policies take precedence over the allow device installation policies.
+1. Enable **Prevent installation of devices that match any of these device IDs**.
+2. Enable the **Prevent installation of devices that match these device setup classes policy**.
-### Security Baseline
-
-The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP. Configuration settings for baseline are located here in the edit profile page of the configuration settings.
-
-
-
-### Bluetooth
-
-Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
-
-
-
-
-
-
-## Detect plug and play connected events
-
-You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
-For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
-Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
-
-## Respond to threats
-
-Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
-
->[!NOTE]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
-
-The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
-For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
-
-| Control | Description |
-|----------|-------------|
-| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
-| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
-| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
-
->[!NOTE]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+> [!Note]
+> The prevent device installation policies take precedence over the allow device installation policies.
### Block installation and usage of removable storage
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
-3. Use the following settings:
+3. Use the following settings:
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 and later
- - Profile type: Device restrictions
+ - Name: Type a name for the profile
+ - Description: Type a description
+ - Platform: Windows 10 and later
+ - Profile type: Device restrictions
@@ -230,11 +219,53 @@ Allowing installation of specific devices requires also enabling [DeviceInstalla
### Prevent installation of specifically prohibited peripherals
-Windows Defender ATP blocks installation and usage of prohibited peripherals by using either of these options:
+Microsoft Defender ATP blocks installation and usage of prohibited peripherals by using either of these options:
- [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class.
- [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses).
+### Security Baseline
+
+The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP. Configuration settings for baseline are located here in the edit profile page of the configuration settings.
+
+
+
+### Bluetooth
+
+Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
+
+
+
+## Respond to threats
+
+You can create custom alerts and automatic response actions with the [Microsoft Defender ATP Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender ATP connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors.
+
+For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine.
+
+## Detect plug and play connected events
+
+You can view plug and play connected events in Microsoft Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
+For examples of Microsoft Defender ATP advanced hunting queries, see the [Microsoft Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
+
+Sample Power BI report templates are available for Microsoft Defender ATP that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration.
+
+### Custom Alerts and Response Actions
+
+You can create custom alerts and response actions with the WDATP Connector and the Custom Detection Rules:
+
+**Wdatp Connector response Actions:**
+
+**Investigate:** Initiate investigations, collect investigation package, and isolate a machine.
+
+**Threat Scanning** on USB devices
+
+**Restrict execution of all applications** on the machine except a predefined set
+MDATP connector is one of over 200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built.
+- [More information on WDATP Connector Response Actions](https://docs.microsoft.com/connectors/wdatp/)
+
+**Custom Detection Rules Response Action:**
+Both machine and file level actions can be applied.
+- [More information on Custom Detection Rules Response Actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules)
## Related topics
@@ -242,8 +273,6 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by
- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)
- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation)
- [Perform a custom scan of a removable device](https://aka.ms/scanusb)
+- [Device Control PowerBI Template for custom reporting](https://github.com/microsoft/MDATP-PowerBI-Templates)
- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)
-
-
-
diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg
new file mode 100644
index 0000000000..fd0666ef4c
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg differ
diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png
new file mode 100644
index 0000000000..089a1b70fe
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicesbyconnection.png differ
diff --git a/windows/security/threat-protection/device-control/images/devicevendorid.jpg b/windows/security/threat-protection/device-control/images/devicevendorid.jpg
new file mode 100644
index 0000000000..10b636fc0d
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicevendorid.jpg differ
diff --git a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg
new file mode 100644
index 0000000000..c86eab1470
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
similarity index 77%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
rename to windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 0f4d7ee1dc..1edd7842a6 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -14,16 +14,16 @@ ms.date: 04/01/2019
ms.reviewer:
---
-# Enable virtualization-based protection of code integrity
+# Enable virtualization-based protection of code integrity
**Applies to**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
-Some applications, including device drivers, may be incompatible with HVCI.
-This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
-If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
+This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
+Some applications, including device drivers, may be incompatible with HVCI.
+This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
+If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
>[!NOTE]
>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE.
@@ -37,13 +37,13 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
-## How to turn on HVCI in Windows 10
+## How to turn on HVCI in Windows 10
To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
- [Windows Security app](#windows-security-app)
- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
- [Group Policy](#enable-hvci-using-group-policy)
-- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
+- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
### Windows Security app
@@ -52,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a
### Enable HVCI using Intune
-Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
+Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
### Enable HVCI using Group Policy
@@ -61,11 +61,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
- 
+ 
5. Click **Ok** to close the editor.
-To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
+To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
### Use registry keys to enable virtualization-based protection of code integrity
@@ -183,66 +183,66 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f
> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
> [!NOTE]
-> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1709.
+> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.
-The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
+The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
#### AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
-| Value | Description |
-|--------|-------------|
-| **0.** | If present, no relevant properties exist on the device. |
-| **1.** | If present, hypervisor support is available. |
-| **2.** | If present, Secure Boot is available. |
-| **3.** | If present, DMA protection is available. |
-| **4.** | If present, Secure Memory Overwrite is available. |
-| **5.** | If present, NX protections are available. |
-| **6.** | If present, SMM mitigations are available. |
-| **7.** | If present, Mode Based Execution Control is available. |
+Value | Description
+-|-
+**0.** | If present, no relevant properties exist on the device.
+**1.** | If present, hypervisor support is available.
+**2.** | If present, Secure Boot is available.
+**3.** | If present, DMA protection is available.
+**4.** | If present, Secure Memory Overwrite is available.
+**5.** | If present, NX protections are available.
+**6.** | If present, SMM mitigations are available.
+**7.** | If present, Mode Based Execution Control is available.
#### InstanceIdentifier
-A string that is unique to a particular device. Valid values are determined by WMI.
+A string that is unique to a particular device. Valid values are determined by WMI.
#### RequiredSecurityProperties
This field describes the required security properties to enable virtualization-based security.
-| Value | Description |
-|--------|-------------|
-| **0.** | Nothing is required. |
-| **1.** | If present, hypervisor support is needed. |
-| **2.** | If present, Secure Boot is needed. |
-| **3.** | If present, DMA protection is needed. |
-| **4.** | If present, Secure Memory Overwrite is needed. |
-| **5.** | If present, NX protections are needed. |
-| **6.** | If present, SMM mitigations are needed. |
-| **7.** | If present, Mode Based Execution Control is needed. |
+Value | Description
+-|-
+**0.** | Nothing is required.
+**1.** | If present, hypervisor support is needed.
+**2.** | If present, Secure Boot is needed.
+**3.** | If present, DMA protection is needed.
+**4.** | If present, Secure Memory Overwrite is needed.
+**5.** | If present, NX protections are needed.
+**6.** | If present, SMM mitigations are needed.
+**7.** | If present, Mode Based Execution Control is needed.
-#### SecurityServicesConfigured
+#### SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
-| Value | Description |
-|--------|-------------|
-| **0.** | No services configured. |
-| **1.** | If present, Windows Defender Credential Guard is configured. |
-| **2.** | If present, HVCI is configured. |
-| **3.** | If present, System Guard Secure Launch is configured. |
+Value | Description
+-|-
+**0.** | No services configured.
+**1.** | If present, Windows Defender Credential Guard is configured.
+**2.** | If present, HVCI is configured.
+**3.** | If present, System Guard Secure Launch is configured.
#### SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
-| Value | Description |
-|--------|-------------|
-| **0.** | No services running. |
-| **1.** | If present, Windows Defender Credential Guard is running. |
-| **2.** | If present, HVCI is running. |
-| **3.** | If present, System Guard Secure Launch is running. |
+Value | Description
+-|-
+**0.** | No services running.
+**1.** | If present, Windows Defender Credential Guard is running.
+**2.** | If present, HVCI is running.
+**3.** | If present, System Guard Secure Launch is running.
#### Version
@@ -252,12 +252,11 @@ This field lists the version of this WMI class. The only valid value now is **1.
This field indicates whether VBS is enabled and running.
-| Value | Description |
-|--------|-------------|
-| **0.** | VBS is not enabled. |
-| **1.** | VBS is enabled but not running. |
-| **2.** | VBS is enabled and running. |
-
+Value | Description
+-|-
+**0.** | VBS is not enabled.
+**1.** | VBS is enabled but not running.
+**2.** | VBS is enabled and running.
#### PSComputerName
@@ -265,8 +264,7 @@ This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
-
-
+
## Troubleshooting
@@ -276,9 +274,12 @@ B. If you experience software or device malfunction after using the above proced
C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
-## How to turn off HVCI on the Windows 10 Fall Creators Update
+## How to turn off HVCI
-1. Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
+1. Run the following command from an elevated prompt to set the HVCI registry key to off
+```ini
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
+```
2. Restart the device.
3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
@@ -293,8 +294,8 @@ Set-VMSecurity -VMName
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
+- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
- [Application control](windows-defender-application-control/windows-defender-application-control.md)
- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+- [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+- [Network protection](microsoft-defender-atp/network-protection.md)
+- [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
@@ -132,7 +132,7 @@ Microsoft Defender ATP's new managed threat hunting service provides proactive h
Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
- [Onboarding](microsoft-defender-atp/onboard-configure.md)
- [API and SIEM integration](microsoft-defender-atp/configure-siem.md)
-- [Exposed APIs](microsoft-defender-atp/use-apis.md)
+- [Exposed APIs](microsoft-defender-atp/apis-intro.md)
- [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md)
- [Reporting and trends](microsoft-defender-atp/powerbi-reports.md)
@@ -141,7 +141,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
**[Microsoft Threat Protection](microsoft-defender-atp/threat-protection-integration.md)**
Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization.
- [Conditional access](microsoft-defender-atp/conditional-access.md)
-- [O365 ATP](microsoft-defender-atp/threat-protection-integration.md)
+- [Office 365 ATP](microsoft-defender-atp/threat-protection-integration.md)
- [Azure ATP](microsoft-defender-atp/threat-protection-integration.md)
- [Azure Security Center](microsoft-defender-atp/threat-protection-integration.md)
- [Skype for Business](microsoft-defender-atp/threat-protection-integration.md)
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
index ab6330fbe8..52771c8630 100644
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index 269b44ae01..fef7da884b 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -36,4 +36,4 @@ Organizations participating in the CME effort work together to help eradicate se
Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index dbccc045ba..79047be15a 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
index 0367399251..1a57f85019 100644
--- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
+++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
index cf077a0a1b..3e680879b5 100644
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: levinec
+ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md
index 4ae184bdda..19d1a76072 100644
--- a/windows/security/threat-protection/intelligence/developer-info.md
+++ b/windows/security/threat-protection/intelligence/developer-info.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: levinec
+ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
index 047f060649..35aec2bd9c 100644
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
ms.pagetype: security
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -24,9 +24,9 @@ If you believe that your application or program has been incorrectly detected by
Check out the following resources for information on how to submit and view submissions:
-- [Submit files](https://www.microsoft.com/en-us/wdsi/filesubmission)
+- [Submit files](https://www.microsoft.com/wdsi/filesubmission)
-- [View your submissions](https://www.microsoft.com/en-us/wdsi/submissionhistory)
+- [View your submissions](https://www.microsoft.com/wdsi/submissionhistory)
## Additional resources
diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md
index 0716cab937..beff687643 100644
--- a/windows/security/threat-protection/intelligence/exploits-malware.md
+++ b/windows/security/threat-protection/intelligence/exploits-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index 6e0e5385e8..bc3ecd48d1 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -96,6 +96,6 @@ Having described the broad categories, we can now dig into the details and provi
## Defeating fileless malware
-At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/en-us/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
diff --git a/windows/security/threat-protection/intelligence/images/MITRE-Microsoft-Defender-ATP.png b/windows/security/threat-protection/intelligence/images/MITRE-Microsoft-Defender-ATP.png
new file mode 100644
index 0000000000..446ad19d77
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/MITRE-Microsoft-Defender-ATP.png differ
diff --git a/windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png b/windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png
new file mode 100644
index 0000000000..9769fd54cb
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png differ
diff --git a/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png b/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png
new file mode 100644
index 0000000000..f797263dba
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png differ
diff --git a/windows/security/threat-protection/intelligence/images/prevalent-malware-small.png b/windows/security/threat-protection/intelligence/images/prevalent-malware-small.png
deleted file mode 100644
index 15a95c2276..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/prevalent-malware-small.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-aug-small.png b/windows/security/threat-protection/intelligence/images/real-world-aug-small.png
new file mode 100644
index 0000000000..303df698eb
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/real-world-aug-small.png differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png b/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png
new file mode 100644
index 0000000000..3a188fbf75
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-small.png b/windows/security/threat-protection/intelligence/images/real-world-small.png
deleted file mode 100644
index 89bf7a1819..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/real-world-small.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/transparency-report-3.png b/windows/security/threat-protection/intelligence/images/transparency-report-3.png
deleted file mode 100644
index 413454d293..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/transparency-report-3.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
index f26e686027..ec97b244a7 100644
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -31,7 +31,7 @@ We've seen macro malware download threats from the following families:
* [Ransom:Win32/Teerac](Ransom:Win32/Teerac)
* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif)
-* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
+* [Win32/Fynloski](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
* [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
## How to protect against macro malware
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index 83a0c0a704..2a52b19798 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 27d9e2a4fe..4f5d3c7278 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index d916ad8a4b..63ef1862ba 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -53,7 +53,7 @@ Using pirated content is not only illegal, it can also expose your device to mal
Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
-To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/en-us/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
+To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
## Don't attach unfamiliar removable drives
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index b7eaea126c..b91211e7da 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -61,6 +61,6 @@ We recommend:
* Educate your employees so they can identify social engineering and spear-phishing attacks.
-* [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). It can stop ransomware from encrypting files and holding the files for ransom.
+* [Controlled folder access](../microsoft-defender-atp/controlled-folders.md). It can stop ransomware from encrypting files and holding the files for ransom.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
index 528be6dda2..ffe4254e2b 100644
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -31,7 +31,7 @@ Many modern malware families use rootkits to try and avoid detection and removal
* [Cutwail](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail)
-* [Datrahere](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo)
+* [Datrahere](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo)
* [Rustock](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock)
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index 07018d689f..f00d63e08f 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -24,12 +24,12 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)
> [!NOTE]
-> The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions).
+> The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/wdsi/definitions).
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
> [!NOTE]
-> This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
+> This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
> [!NOTE]
> Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 54f39ce774..05e5ab7db4 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -52,7 +52,7 @@ We encourage all software vendors and developers to read about [how Microsoft id
## How do I track or view past sample submissions?
-You can track your submissions through the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory). Your submission will only appear on this page if you were signed in when you submitted it.
+You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). Your submission will only appear on this page if you were signed in when you submitted it.
If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if you want to come back and check on the status of your submission.
@@ -66,7 +66,7 @@ Each submission is shown to be in one of the following status types:
* Closed—a final determination has been given by an analyst
-If you are signed in, you can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
+If you are signed in, you can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).
## How does Microsoft prioritize submissions
diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md
index 6ea3d8c4e2..7530ec2c2e 100644
--- a/windows/security/threat-protection/intelligence/supply-chain-malware.md
+++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 4744f0f0e3..35942059ca 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index a786d8ecd1..9bd0cfef19 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: high
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -18,89 +18,70 @@ search.appverid: met150
# Top scoring in industry tests
-Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
+Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
## Next generation protection
[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Note that these tests only provide results for antivirus and do not test for additional security protections.
-Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Microsoft Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
+Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the Microsoft Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
+
- **Download the latest transparency report: [Examining industry test results, May 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)**
+**Download the latest transparency report: [Examining industry test results, August 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)**
### AV-TEST: Protection score of 6.0/6.0 in the latest test
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
-- March - April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) **Latest**
+- May - June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) **Latest**
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 6,849 malware samples used. This is the sixth consecutive cycle that Windows Defender Antivirus achieved a perfect Protection score.
+ Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 2,735 malware samples used. This is the seventh consecutive cycle that Windows Defender Antivirus achieved a perfect Protection score.
+
+- March - April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 13,977 malware samples used.
-
- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956 malware samples.
-
- September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, protecting against 21,566 of 21,568 tested malware samples.
-
- July - August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples.
+### AV-Comparatives: Protection rating of 99.9% in the latest test
-- May - June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports)
+Business Security Test consists of three main parts: the Real-World Protection Test which mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (e.g. USB), and the Performance Test which looks at the impact on the system’s performance.
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples.
+- Business Security Test 2019 (March - June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) **Latest**
-|||
-|---|---|
-|||
+ Windows Defender Antivirus has consistently improved in Real-World Protection Rates over the past year, with 99.9% in the latest test.
-### AV-Comparatives: Protection rating of 99.7% in the latest test
+- Business Security Test 2018 (August - November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/)
-AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions.
+- Business Security Test 2018 (March - June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/)
-- Real-World Protection Test Enterprise March - April 2019: [Protection Rate 99.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-april-2019-testresult/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) **Latest**
-
- This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. The test set contained 389 test cases (such as malicious URLs).
-
-- Real-World Protection Test Enterprise August - November 2018: [Protection Rate 99.6%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-august-november-2018-testresult/)
-
- The test set contained 1,207 test cases (such as malicious URLs).
-
-- Malware Protection Test Enterprise August 2018: [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-august-2018-testresult/)
-
- This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The results are based on testing against 1,556 malware samples.
-
-- Real-World Protection Test Enterprise March - June 2018: [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/)
-
- The test set contained 1,163 test cases (such as malicious URLs).
-
-### SE Labs: Total accuracy rating of AAA in the latest test
+### SE Labs: AAA award in the latest test
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.
+- Enterprise Endpoint Protection April - June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+
+ Microsoft's next-gen protection was named as one of the leading products, stopping all of the targeted attacks and all but one public threat. It also handled the legitimate applications correctly.
+
+- Enterprise Endpoint Protection January - March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+
- Enterprise Endpoint Protection October - December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
- Microsoft's next-gen protection was named as one of the leading products, stopping all of the public and targeted attacks.
-
- Enterprise Endpoint Protection July - September 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/jul-sep-2018-enterprise.pdf) **pdf**
- Microsoft's next-gen protection was named as one of the most effective products, stopping all public and targeted attacks. It showcased its ability to block malicious URLs, deal with exploits, and classify legitimate apps and websites correctly.
-
-- Enterprise Endpoint Protection April - June 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/apr-jun-2018-enterprise.pdf) **pdf**
-
- Microsoft's next-gen protection was named as one of the most effective products, stopping all targeted attacks and the vast majority of public threats.
-
## Endpoint detection & response
Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
+
+
+**Read our analysis: [MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)**
+
### MITRE: Industry-leading optics and detection capabilities
MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics.
@@ -113,6 +94,6 @@ MITRE tested the ability of products to detect techniques commonly used by the t
It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted above. For example, in an average month, we identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
-The capabilities within [Microsoft Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
+The capabilities within [Microsoft Defender ATP](https://www.microsoft.com/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
-Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Microsoft Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
+Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Microsoft Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md
index 918006ff72..c9f64fecd6 100644
--- a/windows/security/threat-protection/intelligence/trojans-malware.md
+++ b/windows/security/threat-protection/intelligence/trojans-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md
index 1be49ef74a..2486a1e427 100644
--- a/windows/security/threat-protection/intelligence/understanding-malware.md
+++ b/windows/security/threat-protection/intelligence/understanding-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -21,7 +21,7 @@ Malware is a term used to describe malicious applications and code that can caus
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
-As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp)), businesses can stay protected with next-generation protection and other security capabilities.
+As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp)), businesses can stay protected with next-generation protection and other security capabilities.
For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
index d8e216919b..28718f36f6 100644
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index b899f41868..cfda4379ca 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -50,4 +50,4 @@ To be eligible for VIA your organization must:
3. Be willing to sign and adhere to the VIA membership agreement.
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index 50fe7168fa..adfe6b2035 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -54,4 +54,4 @@ Your organization must meet the following eligibility requirements to qualify fo
### Apply now
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index aca7c0581d..6b392dcc81 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: levinec
+ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
@@ -34,7 +34,7 @@ Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have
Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software.
-* [**WannaCrypt**](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware).
+* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware).
This image shows how a worm can quickly spread through a shared USB drive.
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index b2d4621b58..d1b7cfa967 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -5,7 +5,7 @@ keywords: MBSA, security, removal
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
-ms.author: dolmont
+ms.author: dansimp
author: dulcemontemayor
ms.date: 10/05/2018
ms.reviewer:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 38d679e8fa..55e9157bfa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Microsoft Defender ATP with.
@@ -53,7 +53,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
-## Block file
+## Allow or block file
Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled.
@@ -71,6 +71,19 @@ To turn **Allow or block** files on:
Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
+
+## Custom network indicators
+
+Enabling this feature allows you to create indicators for IP addresses, domains, or URLs which determine whether they will be allowed or blocked based on your custom indicator list.
+
+To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
+
+For more information, see [Manage indicators](manage-indicators.md).
+
+>[!NOTE]
+>Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data.
+
+
## Show user details
When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
index 9544001b7c..11138ccab3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index fbe2aa1d4c..918e31047d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -24,7 +24,7 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
## Performance best practices
The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries.
@@ -93,4 +93,4 @@ ProcessCreationEvents
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
index a82f47f963..2f8d8b5394 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
@@ -59,6 +59,13 @@ For information on other tables in the Advanced hunting schema, see [the Advanc
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
+| ShareName | string | Name of shared folder containing the file |
+| RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity |
+| RequestSourcePort | string | Source port on the remote device that initiated the activity |
+| RequestAccountName | string | User name of account used to remotely initiate the activity |
+| RequestAccountDomain | string | Domain of the account used to remotely initiate the activity |
+| RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
index d7e0521472..aabe8804ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
index 1e8a0cfcc7..90d2fe815e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
index fa58a67cdd..5ac8eced92 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
index 3ec3dfd8f2..cb1ff3f42a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
index 01c38628be..34eb98af98 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
index fb18d453d7..29cce6edf3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
index d6ef50a878..ff4bcab4b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index 40810a2f12..a0d1dd41a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
## Advanced hunting table reference
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
index 75b7b12ee6..dcf2cf5422 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
index 4ca2aebb87..7c51f049ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
@@ -20,7 +20,7 @@ ms.date: 08/15/2018
# Query data using Advanced hunting in Microsoft Defender ATP
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax.
@@ -146,7 +146,7 @@ The filter selections will resolve as an additional query term and the results w
Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
## Related topic
- [Advanced hunting reference](advanced-hunting-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
index fe729da635..0f5c27cc7e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index a3455dcc67..fe3c249332 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -23,7 +23,7 @@ ms.date: 04/24/2018
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
@@ -38,7 +38,7 @@ On the top navigation you can:
-## Sort, filter, and group the alerts queue
+## Sort, filter, and group the alerts queue
You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
### Severity
@@ -58,10 +58,10 @@ The Windows Defender AV threat severity represents the absolute severity of the
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.
So, for example:
-- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
-- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
-- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
-- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
+- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
+- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
+- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
+- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
#### Understanding alert categories
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
index a3d83d4880..b4aec2ce09 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
new file mode 100644
index 0000000000..4af26a7805
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@@ -0,0 +1,81 @@
+---
+title: Microsoft Defender ATP Flow connector
+ms.reviewer:
+description: Microsoft Defender ATP Flow connector
+keywords: flow, supported apis, api, Microsoft flow, query, automation
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Microsoft Defender ATP Flow connector
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within few minutes.
+
+Microsoft Defender API has an official Flow Connector with a lot of capabilities:
+
+
+
+## Usage example
+
+The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs on your tenant.
+
+- Login to [Microsoft Flow](https://flow.microsoft.com)
+
+- Go to: My flows > New > Automated
+
+
+
+- Choose a name for your Flow, Search for **Microsoft Defender ATP Triggers** as the trigger and choose the new Alerts trigger.
+
+
+
+- Now you have a Flow that is triggered every time a new Alert occurs.
+
+
+
+All you need to do now, is to choose your next steps.
+Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it.
+The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities.
+
+### Get the Alert entity using the connector
+
+- Choose Microsoft Defender ATP for new step.
+
+- Choose Alerts - Get single alert API.
+
+- Set the Alert Id from the last step as Input.
+
+
+
+### Isolate the machine if the Alert's severity is High
+
+- Add **Condition** as a new step .
+
+- Check if Alert severity equals to **High**.
+
+- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.
+
+
+
+Now you can add a new step for mailing about the Alert and the Isolation.
+There are multiple Email connectors that are very easy to use, e.g. Outlook, GMail, etc..
+Save your flow and that's all.
+
+- You can also create **scheduled** flow that will run Advanced Hunting queries and much more!
+
+## Related topic
+- [Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 4c97c07b2e..979340a3ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -1,7 +1,7 @@
---
-title: Microsoft Defender ATP alert API fields
-description: Understand how the alert API fields map to the values in Microsoft Defender Security Center
-keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
+title: Microsoft Defender ATP detections API fields
+description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center
+keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -15,21 +15,24 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 10/16/2017
---
-# Microsoft Defender ATP SIEM alert API fields
+# Microsoft Defender ATP detections API fields
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
-Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
+Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
-## Alert API fields and portal mapping
-The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details.
+
+## Detections API fields and portal mapping
+The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
@@ -39,33 +42,33 @@ Field numbers match the numbers in the images below.
>
> | Portal label | SIEM field name | ArcSight field | Example value | Description |
> |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every alert. |
-> | 2 | Severity | deviceSeverity | High | Value available for every alert. |
-> | 3 | Category | deviceEventCategory | Malware | Value available for every alert. |
-> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. |
-> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every alert. |
-> | 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
-> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
-> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for alerts associated with a file or process. |
-> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV alerts. |
-> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV alerts. |
-> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV alerts. |
-> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. |
-> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
-> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
-> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
+> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
+> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
+> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
+> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. |
+> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
+> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
+> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
+> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
+> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
+> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
+> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV detections. |
+> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV detections. |
+> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV detections. |
+> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
+> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
+> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
+> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
+> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
+> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
+> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
+> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every Detection. |
> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
-> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
+> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every Detection. |
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
-> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. |
+> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
> | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
@@ -88,7 +91,7 @@ Field numbers match the numbers in the images below.
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
-- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
similarity index 50%
rename from windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md
rename to windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
index 01dbb65739..4c582017dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
@@ -1,14 +1,14 @@
---
-title: Advanced Hunting API
+title: Microsoft Defender ATP APIs connection to Power BI
ms.reviewer:
-description: Use this API to run advanced queries
-keywords: apis, supported apis, advanced hunting, query
+description: Create custom reports using Power BI
+keywords: apis, supported apis, Power BI, reports
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -17,24 +17,17 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Create custom reports using Power BI (user authentication)
+# Create custom reports using Power BI
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-[!include[Prerelease information](prerelease.md)]
+In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
-Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
+The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)
-In this section we share Power BI query sample to run a query using **user token**.
-
-If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial.
-
-## Before you begin
-You first need to [create an app](exposed-apis-create-app-nativeapp.md).
-
-## Run a query
+## Connect Power BI to Advanced Hunting API
- Open Microsoft Power BI
@@ -46,18 +39,15 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
-- Copy the below and paste it in the editor, after you update the values of Query
+- Copy the below and paste it in the editor:
- ```
+```
let
+ AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'",
- Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId",
+ HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
- FormattedQuery= Uri.EscapeDataString(Query),
-
- AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery,
-
- Response = Json.Document(Web.Contents(AdvancedHuntingUrl)),
+ Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
TypeMap = #table(
{ "Type", "PowerBiType" },
@@ -88,12 +78,10 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
in Table
- ```
+```
- Click **Done**
- 
-
- Click **Edit Credentials**
@@ -108,13 +96,32 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
-- View the results of your query
+- Now the results of your query will appear as table and you can start build visualizations on top of it!
- 
+- You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would like.
+
+## Connect Power BI to OData APIs
+
+- The only difference from the above example is the query inside the editor.
+
+- Copy the below and paste it in the editor to pull all **Machine Actions** from your organization:
+
+```
+ let
+
+ Query = "MachineActions",
+
+ Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true])
+ in
+ Source
+
+```
+
+- You can do the same for **Alerts** and **Machines**.
+
+- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md)
## Related topic
-- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md)
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
+- [Using OData Queries](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
index 122b141332..e526a20669 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
@@ -22,6 +22,12 @@ ms.topic: article
Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
+### Throttling limits
+
+Name | Calls | Renewal period
+:---|:---|:---
+API calls per connection | 100 | 60 seconds
+
## Legal Notices
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index e97f64fda4..84db47e022 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
index f7afee3646..0924219800 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
@@ -25,7 +25,7 @@ ms.date: 11/28/2018
- Office 365
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Microsoft Defender ATP supports two ways to manage permissions:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
index ad94b7494d..f39d0ddd2f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@@ -24,7 +24,7 @@ ms.date: 11/20/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
>[!TIP]
>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
@@ -58,7 +58,7 @@ Read the walkthrough document provided with each attack scenario. Each document
> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
>
>
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index e78eb77ef5..311f6803b0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/07/2019
@@ -16,32 +17,28 @@ ms.reviewer:
manager: dansimp
---
-# Reduce attack surfaces with attack surface reduction rules
+# Reduce attack surfaces with attack surface reduction rules
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
-
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
-
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
-- Executable files and scripts used in Office apps or web mail that attempt to download or run files
-- Obfuscated or otherwise suspicious scripts
-- Behaviors that apps don't usually initiate during normal day-to-day work
+* Executable files and scripts used in Office apps or web mail that attempt to download or run files
+* Obfuscated or otherwise suspicious scripts
+* Behaviors that apps don't usually initiate during normal day-to-day work
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
-Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
+Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
@@ -49,11 +46,11 @@ For information about configuring attack surface reduction rules, see [Enable at
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
-Here is an example query:
+Here is an example query:
-```
+```PowerShell
MiscEvents
| where ActionType startswith 'Asr'
```
@@ -62,13 +59,13 @@ MiscEvents
You can review the Windows event log to view events that are created when attack surface reduction rules fire:
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
3. Click **Import custom view...** on the left panel, under **Actions**.
-
-4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
5. Click **OK**.
@@ -82,13 +79,12 @@ Event ID | Description
The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
-
## Attack surface reduction rules
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
-Rule name | GUID | File & folder exclusions
--|-|-
+ Rule name | GUID | File & folder exclusions
+-----------|------|--------------------------
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
@@ -111,8 +107,8 @@ Each rule description indicates which apps or file types the rule applies to. In
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -138,7 +134,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
### Block Office applications from creating executable content
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
@@ -154,7 +150,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
-This rule applies to Word, Excel, and PowerPoint.
+This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -166,12 +162,12 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
### Block JavaScript or VBScript from launching downloaded executable content
-Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
+Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
->[!IMPORTANT]
->File and folder exclusions don't apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions don't apply to this attack surface reduction rule.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -206,16 +202,16 @@ SCCM name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-
+
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
-
-- Executable files (such as .exe, .dll, or .scr)
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+* Executable files (such as .exe, .dll, or .scr)
->[!IMPORTANT]
->The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+
+> [!IMPORTANT]
+> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
@@ -226,13 +222,13 @@ Intune name: Executables that don't meet a prevalence, age, or trusted list crit
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
-
+
### Use advanced protection against ransomware
-
+
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
@@ -241,14 +237,14 @@ Intune name: Advanced ransomware protection
SCCM name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
-
+
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-
+
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
- >[!NOTE]
- >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-
+> [!NOTE]
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Flag credential stealing from the Windows local security authority subsystem
@@ -261,26 +257,26 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
->[!IMPORTANT]
->File and folder exclusions do not apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions do not apply to this attack surface reduction rule.
->[!WARNING]
->Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
+> [!WARNING]
+> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
+This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
Intune name: Process creation from PSExec and WMI commands
SCCM name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
-
+
### Block untrusted and unsigned processes that run from USB
-
+
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
-
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
@@ -294,10 +290,10 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
->[!NOTE]
->This rule applies to Outlook and Outlook.com only.
+> [!NOTE]
+> This rule applies to Outlook and Outlook.com only.
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
Intune name: Process creation from Office communication products (beta)
@@ -307,19 +303,21 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
### Block Adobe Reader from creating child processes
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
Intune name: Process creation from Adobe Reader (beta)
-SCCM name: Not applicable
+SCCM name: Not yet available
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
### Block persistence through WMI event subscription
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
+Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
+
+This rule was introduced in: Windows 10 1903, Windows Server 1903
Intune name: Block persistence through WMI event subscription
@@ -329,7 +327,6 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
## Related topics
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
-
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
similarity index 65%
rename from windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
index dd9c960c79..cb5f42efe4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -16,12 +17,11 @@ ms.reviewer:
manager: dansimp
---
-
-# Use audit mode
+# Use audit mode
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
@@ -33,25 +33,23 @@ To find the audited entries, go to **Applications and Services** > **Microsoft**
You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
+This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
-|Audit options | How to enable audit mode | How to view events |
-|- | - | - |
-|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) |
-|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) |
-|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) |
-|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) |
-
+ Audit options | How to enable audit mode | How to view events
+-|-|-
+Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
+|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Protect your network](network-protection-exploit-guard.md)
-- [Protect important folders](controlled-folders-exploit-guard.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Protect your network](network-protection.md)
+* [Protect important folders](controlled-folders.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 7e77ed48e3..0d2841c46b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -19,7 +19,7 @@ ms.topic: conceptual
# Overview of Automated investigations
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
The Microsoft Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
@@ -40,7 +40,7 @@ Entities are the starting point for Automated investigations. When an alert cont
>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/en-us/help/4493464/windows-10-update-kb4493464)) or later
>- Later versions of Windows 10
-The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
+The Automated investigation starts by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
### Details of an Automated investigation
@@ -85,4 +85,4 @@ The default machine group is configured for semi-automatic remediation. This mea
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
## Related topic
-- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
\ No newline at end of file
+- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
index 861f47388c..6cad0006a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
@@ -23,7 +23,7 @@ ms.topic: article
- Azure Active Directory
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
Refer to the instructions below to use basic permissions management.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
index 8057947dc2..6fcd846c60 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@@ -23,7 +23,7 @@ ms.date: 04/24/2018
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
index dfff630e9d..7adc0c6ece 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@@ -71,6 +71,10 @@ The following capabilities are not currently available:
- Integration with third-party products
+## Email notifications
+Not currently available.
+
+
## Integrations
Integrations with the following Microsoft products are not currently available:
- Azure Security Center
diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
index 396e2730fb..eb36f604f9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
@@ -24,7 +24,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index 1eadc36802..f6f11da946 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -22,7 +22,7 @@ ms.date: 04/11/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks.
The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over the security posture of your organization based on security best practices. High configuration score means your endpoints are more resilient from cybersecurity threat attacks.
@@ -34,6 +34,8 @@ Your configuration score widget shows the collective security configuration stat
- Security controls
## How it works
+>[!NOTE]
+> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
index 0911a2d722..9356c13eb8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
index 22c9359f44..65f1d888f8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
@@ -1,6 +1,6 @@
---
-title: Configure HP ArcSight to pull Microsoft Defender ATP alerts
-description: Configure HP ArcSight to receive and pull alerts from Microsoft Defender Security Center
+title: Configure HP ArcSight to pull Microsoft Defender ATP detections
+description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -15,10 +15,9 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/20/2018
---
-# Configure HP ArcSight to pull Microsoft Defender ATP alerts
+# Configure HP ArcSight to pull Microsoft Defender ATP detections
**Applies to:**
@@ -27,12 +26,16 @@ ms.date: 12/20/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
-You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP alerts.
+You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections.
+
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
-Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application.
+Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
This section guides you in getting the necessary information to set and use the required configuration files correctly.
@@ -163,7 +166,7 @@ The following steps assume that you have completed all the required steps in [Be
You can now run queries in the HP ArcSight console.
-Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
+Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
## Troubleshooting HP ArcSight connection
@@ -187,6 +190,6 @@ Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft”
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index 0d8f88aa59..d0dfe6add3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -1,15 +1,14 @@
---
-title:
-ms.reviewer:
-description:
-keywords:
+title: Configure attack surface reduction
+description: Configure attack surface reduction
+keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -23,22 +22,21 @@ ms.date: 07/01/2018
You can configure attack surface reduction with a number of tools, including:
-- Microsoft Intune
-- System Center Configuration Manager
-- Group Policy
-- PowerShell cmdlets
-
+* Microsoft Intune
+* System Center Configuration Manager
+* Group Policy
+* PowerShell cmdlets
The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools).
## In this section
+
Topic | Description
-:---|:---
+-|-
[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements
[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes
-[Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
-[Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
-[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps
-[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
+[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
+[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
+[Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps
+[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
[Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
index 3c3fa5ffff..97cc98af49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@@ -104,4 +104,4 @@ Take the following steps to enable Conditional Access:
For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index a381b9ef5a..e0e025ebc9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
You can configure Microsoft Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index 5e84c75371..914b140411 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -29,12 +29,14 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
> [!NOTE]
> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
+> For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.
+
## Onboard machines using Group Policy
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index 88aa16e2cf..9710f0d825 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -25,7 +25,7 @@ ms.date: 12/06/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
You can use mobile device management (MDM) solutions to configure machines. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
index 8be4bddd06..b5ebde69de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
@@ -24,7 +24,7 @@ ms.topic: article
- Linux
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index f1e4b4412d..ab167bc4fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -28,7 +28,7 @@ ms.date: 12/11/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606
@@ -36,6 +36,8 @@ System Center Configuration Manager (SCCM) (current branch) version 1606, has UI
>[!NOTE]
> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
+> Starting with version 1606 of Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) for ATP configuration.
+
## Onboard Windows 10 machines using System Center Configuration Manager earlier versions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
index d326a4194b..6c658e6d81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
@@ -27,7 +27,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
You can also manually onboard individual machines to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 9bcaf00305..19a1f29ebd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -25,7 +25,7 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
## Onboard non-persistent virtual desktop infrastructure (VDI) machines
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
index 3387e07476..f7fccc3f2b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
@@ -45,4 +45,4 @@ Topic | Description
[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI machines.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index 785daef982..69c4df40de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -20,34 +20,36 @@ ms.topic: article
# Optimize ASR rule deployment and detections
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
*Attack surface management card*
The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
-- Understand how ASR rules are currently deployed in your organization
-- Review ASR detections and identify possible incorrect detections
-- Analyze the impact of exclusions and generate the list of file paths to exclude
+* Understand how ASR rules are currently deployed in your organization
+* Review ASR detections and identify possible incorrect detections
+* Analyze the impact of exclusions and generate the list of file paths to exclude
Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
->[!NOTE]
->To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
+> [!NOTE]
+> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
-For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
+For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
# Related topics
-- [Ensure your machines are configured properly](configure-machines.md)
-- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
\ No newline at end of file
+
+* [Ensure your machines are configured properly](configure-machines.md)
+* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
index 4640790859..bd168aac8b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
@@ -44,32 +44,22 @@ The **Onboarding** card provides a high-level overview of your onboarding rate b
Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 machines](onboard-configure.md). For Intune-managed machines, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select machines, effectively onboarding these devices to the service.
-From the **Onboarding** card, select **Onboard more machines** to create and assign a profile on Intune. The link takes you to a similar overview of your onboarding state.
+From the **Onboarding** card, select **Onboard more machines** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
+
+
+ *Microsoft Defender ATP device compliance page on Intune device management*
>[!TIP]
>Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
-From the overview, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard.
+From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either:
-1. Select **Create a device configuration profile to configure ATP sensor**.
+- Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile.
+- Create the device configuration profile from scratch.
- 
- *Microsoft Defender ATP device compliance page on Intune device management*
+For more information, [read about using Intune device configuration profiles to onboard machines to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
-2. Specify a name for the profile, specify desired configuration options for sample sharing and reporting frequency, and select **Create** to save the new profile.
-
- 
- *Configuration profile creation*
-
-3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
-
- 
- *Assigning the new profile to all machines*
-
->[!TIP]
->To learn more about Intune profiles, read about [assigning user and device profiles](https://docs.microsoft.com/intune/device-profile-assign).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
# Related topics
- [Ensure your machines are configured properly](configure-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
index 5c04c5d86d..90713b48a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
@@ -95,7 +95,7 @@ Machine configuration management monitors baseline compliance only of Windows 10
>[!TIP]
>Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
# Related topics
- [Ensure your machines are configured properly](configure-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
index 11f16e8b9f..3c6d45957a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
@@ -76,4 +76,4 @@ Topic | Description
[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed machines.
[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
index 75b3616e1c..584f376ee3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@@ -1,7 +1,7 @@
---
title: Configure and manage Microsoft Threat Experts capabilities
ms.reviewer:
-description: You need to register to Microsoft Threats Experts preview to configure, manage, and use it in your daily security operations and security administration work.
+description: Register to Microsoft Threats Experts to configure, manage, and use it in your daily security operations and security administration work.
keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service
search.product: Windows 10
search.appverid: met150
@@ -9,8 +9,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
+ms.author: dolmont
+author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -26,9 +26,7 @@ ms.topic: article
[!include[Prerelease information](prerelease.md)]
## Before you begin
-To experience the full Microsoft Threat Experts targeted attack notification capability in Microsoft Defender ATP, and preview the experts-on-demand capability, you need to have a valid Premier customer service and support account. Premier charges will not be incurred during for the capability in preview, but for the generally available capability, there will be charges.
-
-You also need to ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up.
+Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up.
## Register to Microsoft Threat Experts managed threat hunting service
If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal.
@@ -36,22 +34,22 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M
1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
2. Click **Apply**.
-
+
3. Enter your name and email address so that Microsoft can get back to you on your application.
-
+
4. Read the privacy statement, then click **Submit** when you're done. You will receive a welcome email once your application is approved.
-
+
6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
## Receive targeted attack notification from Microsoft Threat Experts
-You can receive targeted attack notification from Microsoft Threat Experts through the following:
+You can receive targeted attack notification from Microsoft Threat Experts through the following medium:
- The Microsoft Defender ATP portal's **Alerts** dashboard
- Your email, if you choose to configure it
-To receive targeted attack notifications through email, you need to create an email notification rule.
+To receive targeted attack notifications through email, create an email notification rule.
### Create an email notification rule
You can create rules to send email notifications for notification recipients. See [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details.
@@ -64,45 +62,32 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
2. From the dashboard, select the same alert topic that you got from the email, to view the details.
-## Ask a Microsoft threat expert about suspicious cybersecurity activities in your organization
+## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
>[!NOTE]
>The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved.
-You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender Security Center for timely and accurate response. Experts provide insights needed to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
+You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
-1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry.
-2. From the upper right-hand menu, click **?**, then select **Ask a threat expert**.
-3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a support ticket.
-
- **Step 1: Provide information**
- a. Provide enough information to give the Microsoft Threat Experts enough context to start the investigation. Select the inquiry category from the **Provide information > Inquiry** details drop-down menu.
-
- b. Enter the additional details to give the threat experts more context of what you’d like to investigate. Click **Next**, and it takes you to the **Open support ticket** tab.
-
- c. Remember to use the ID number from the **Open a support ticket** tab page and include it to the details you will provide in the subsequent Customer Services and Support (CSS) pages.
+>[!NOTE]
+>Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
- **Step 2: Open a support ticket**
- >[!NOTE]
- >To experience the full Microsoft Threat Experts preview capability in Microsoft Defender ATP, you need to have a Premier customer service and support account. However, you will not be charged for the Experts-on-demand service during the preview.
-
- a. In the **New support request** customer support page, select the following from the dropdown menu and then click **Next**:
+1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request.
- **Select the product family**: **Security**
- **Select a product**: **Microsoft Threat Experts**
- **Select a category that best describes the issue**: **Microsoft Defender ATP**
- **Select a problem that best describes the issue**: Choose according to your inquiry category
-
- b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when you open a Customer Services and Support (CSS) ticket. Then, click **Next**.
-
- c. In the **Select a support plan** page, select **Professional No Charge**.
+2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**.
- d. The severity of your issue has been pre-selected by default, per the support plan, **Professional No Charge**, that you'll use for this public preview. Select the time zone by which you'd like to receive the correspondence. Then, click **Next**.
-
- e. Verify your contact details and add another if necessary. Then, click **Next**.
+>
- f. Review the summary of your support request, and update if necessary. Make sure that you read and understand the **Microsoft Services Agreement** and **Privacy Statement**. Then, click **Submit**. You will see the confirmation page indicating the response time and your support request number.
+>A flyout screen opens.
-## Sample questions to ask Microsoft Threat Experts
+>
+
+>The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request.
+
+3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
+
+4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
+
+## Sample investigation topics that you can consult with Microsoft Threat Experts
**Alert information**
- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
@@ -111,12 +96,12 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
**Possible machine compromise**
-- Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many machines and we would appreciate input on whether this is related to malicious activity.
+- Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many machines. We appreciate any input to clarify whether this is related to malicious activity.
- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
**Threat intelligence details**
-- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you please send me a link?
-- I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
+- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
+- I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
**Microsoft Threat Experts’ alert communications**
- Can your incident response team help us address the targeted attack notification that we got?
@@ -129,10 +114,14 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
## Scenario
### Receive a progress report about your managed hunting inquiry
-Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation status from the following categories:
+Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about your **Consult a threat expert** inquiry within two days, to communicate the investigation status from the following categories:
- More information is needed to continue with the investigation
- A file or several file samples are needed to determine the technical context
- Investigation requires more time
- Initial information was enough to conclude the investigation
It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and support service level agreement for details.
+
+## Related topic
+- [Microsoft Threat Experts overview](microsoft-threat-experts.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index d12bc037b7..7738dedb9f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -1,6 +1,8 @@
---
title: Configure managed security service provider support
-description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
+
+description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP
+
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -21,9 +23,11 @@ ms.date: 09/03/2018
# Configure managed security service provider integration
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
+
[!include[Prerelease information](prerelease.md)]
@@ -35,19 +39,23 @@ You'll need to take the following configuration steps to enable the managed secu
> - MSSP customers: Organizations that engage the services of MSSPs.
The integration will allow MSSPs to take the following actions:
-- Get access to MSSP customer's Microsoft Defender Security Center portal
+
+- Get access to MSSP customer's Windows Defender Security Center portal
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
-Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal.
+Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal.
+
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
In general, the following configuration steps need to be taken:
-- **Grant the MSSP access to Microsoft Defender Security Center**
-This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant.
+
+- **Grant the MSSP access to Windows Defender Security Center**
+This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant.
+
- **Configure alert notifications sent to MSSPs**
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
@@ -61,31 +69,36 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
## Grant the MSSP access to the portal
->[!NOTE]
+
+>[!NOTE]
> These set of steps are directed towards the MSSP customer.
> Access to the portal can only be done by the MSSP customer.
-As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
+As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center.
+
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
You'll need to take the following 2 steps:
- Add MSSP user to your tenant as a guest user
-- Grant MSSP user access to Microsoft Defender Security Center
+
+- Grant MSSP user access to Windows Defender Security Center
+
### Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
-
-### Grant MSSP user access to Microsoft Defender Security Center
-Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
+
+### Grant MSSP user access to Windows Defender Security Center
+Grant the guest user access and permissions to your Windows Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
-If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
+If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac.md).
+
>[!NOTE]
>There is no difference between the Member user and Guest user roles from RBAC perspective.
@@ -94,12 +107,14 @@ It is recommended that groups are created for MSSPs to make authorization access
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
-## Access the Microsoft Defender Security Center MSSP customer portal
+
+## Access the Windows Defender Security Center MSSP customer portal
->[!NOTE]
+>[!NOTE]
>These set of steps are directed towards the MSSP.
-By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+
MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
@@ -123,11 +138,13 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
+
For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
+
These check boxes must be checked:
- - **Include organization name** - The customer name will be added to email notifications
- - **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
+- **Include organization name** - The customer name will be added to email notifications
+- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
## Fetch alerts from MSSP customer's tenant into the SIEM system
@@ -141,46 +158,49 @@ To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
-
-Step 3: Whitelist your application on Microsoft Defender Security Center
+
+Step 3: Whitelist your application on Windows Defender Security Center
+
### Step 1: Create an application in Azure Active Directory (Azure AD)
-You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
+
+You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant.
+
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
2. Select **Azure Active Directory** > **App registrations**.
-3. Click **New application registration**.
+
+3. Click **New registration**.
+
4. Specify the following values:
- Name: \
@@ -68,6 +65,7 @@ The static proxy is configurable through Group Policy (GP). The group policy can
```text
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com```
```notify.windows.com```
European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
United States | ```us.vortex-win.data.microsoft.com```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
-
-
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
-## Microsoft Defender ATP service backend IP range
+## Microsoft Defender ATP service backend IP range
+
If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
@@ -128,13 +130,11 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
- \+\
The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example:
+
```text
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
- 5 - Command line proxy: Doesn't exist
+ 5 - Command line proxy: Doesn't exist
```
If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.
@@ -177,9 +180,10 @@ If at least one of the connectivity options returns a (200) status, then the Mic
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
> [!NOTE]
-> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Related topics
+
- [Onboard Windows 10 machines](configure-endpoints.md)
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
\ No newline at end of file
+- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 6b24d02ebe..ec708627ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
+ms.author: macapara
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -20,22 +21,20 @@ ms.topic: article
**Applies to:**
-- Windows Server 2008 R2 SP1 (pre-release)
+- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server, 2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console.
The service supports the onboarding of the following servers:
-- Windows Server 2008 R2 SP1 (pre-release)
+- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
@@ -66,7 +65,7 @@ You'll need to take the following steps if you choose to onboard servers through
- For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
- Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- - Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
+ - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
@@ -75,7 +74,7 @@ You'll need to take the following steps if you choose to onboard servers through
>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
- Turn on server monitoring from Microsoft Defender Security Center.
-- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
+- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
>[!TIP]
@@ -207,7 +206,7 @@ For other server versions, you have two options to offboard servers from the ser
>[!NOTE]
>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
-### Uninstall servers by uinstalling the MMA agent
+### Uninstall servers by uninstalling the MMA agent
To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Microsoft Defender ATP.
For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index c5e8719018..44e2fdd28e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -1,6 +1,6 @@
---
-title: Pull alerts to your SIEM tools from Microsoft Defender Advanced Threat Protection
-description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts.
+title: Pull detections to your SIEM tools from Microsoft Defender Advanced Threat Protection
+description: Learn how to use REST API and configure supported security information and events management tools to receive and pull detections.
keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -18,16 +18,21 @@ ms.topic: article
ms.date: 10/16/2017
---
-# Pull alerts to your SIEM tools
+# Pull detections to your SIEM tools
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
-## Pull alerts using security information and events management (SIEM) tools
-Microsoft Defender ATP supports (SIEM) tools to pull alerts. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+## Pull detections using security information and events management (SIEM) tools
+
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+
+Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Microsoft Defender ATP currently supports the following SIEM tools:
@@ -39,16 +44,16 @@ To use either of these supported SIEM tools you'll need to:
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- Configure the supported SIEM tool:
- - [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
- - [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
+ - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+ - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-For more information on the list of fields exposed in the alerts API see, [Microsoft Defender ATP alert API fields](api-portal-mapping.md).
+For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
-## Pull Microsoft Defender ATP alerts using REST API
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
+## Pull Microsoft Defender ATP detections using REST API
+Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
-For more information, see [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md).
+For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
## In this section
@@ -56,8 +61,8 @@ For more information, see [Pull Microsoft Defender ATP alerts using REST API](pu
Topic | Description
:---|:---
[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Microsoft Defender ATP alerts.
-[Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP alerts.
-[Microsoft Defender ATP alert API fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
-[Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Microsoft Defender ATP using REST API.
+[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
+[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
+[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
+[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
index 13cf662e66..fd61b88ec1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
@@ -1,6 +1,6 @@
---
-title: Configure Splunk to pull Microsoft Defender ATP alerts
-description: Configure Splunk to receive and pull alerts from Microsoft Defender Security Center.
+title: Configure Splunk to pull Microsoft Defender ATP detections
+description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Configure Splunk to pull Microsoft Defender ATP alerts
+# Configure Splunk to pull Microsoft Defender ATP detections
**Applies to:**
@@ -26,9 +26,13 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
-You'll need to configure Splunk so that it can pull Microsoft Defender ATP alerts.
+You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
+
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
@@ -121,8 +125,8 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
-## View alerts using Splunk solution explorer
-Use the solution explorer to view alerts in Splunk.
+## View detections using Splunk solution explorer
+Use the solution explorer to view detections in Splunk.
1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
@@ -141,12 +145,12 @@ Use the solution explorer to view alerts in Splunk.
>[!TIP]
-> To mininimize alert duplications, you can use the following query:
+> To mininimize Detection duplications, you can use the following query:
>```source="rest://windows atp alerts" | spath | dedup _raw | table *```
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
-- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 7aa48ea40e..eb5c9b65bb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
audience: ITPro
@@ -21,7 +22,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
@@ -35,9 +36,9 @@ Controlled folder access is especially useful in helping to protect your documen
With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
@@ -49,7 +50,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
@@ -62,13 +63,13 @@ MiscEvents
You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
1. On the left panel, under **Actions**, click **Import custom view...**.
-1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
1. Click **OK**.
@@ -83,7 +84,7 @@ Event ID | Description
## In this section
Topic | Description
----|---
+-|-
[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
-[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
+[Enable controlled folder access](enable-controlled-folders.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
+[Customize controlled folder access](customize-controlled-folders.md) | Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index c100b9ddf2..f4a2b266d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -61,7 +61,7 @@ machineId | String | Id of the machine on which the event was identified. **Requ
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
title | String | Title for the alert. **Required**.
description | String | Description of the alert. **Required**.
-recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert.
+recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
reportId | String | The reportId, as obtained from the advanced query. **Required**.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index c3eaee164d..9561fe831c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -26,7 +26,7 @@ ms.topic: article
Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found.
>[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. For the detection rule to work properly and create alerts, the query must return in each row a set of MachineId, ReportId, EventTime which match to an actual event in advanced hunting.
1. In the navigation pane, select **Advanced hunting**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md
index 2601b05b63..0a42682bb7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md
@@ -25,7 +25,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index 2b7dec1738..839daef3d1 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,10 +21,10 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
@@ -33,21 +34,20 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
-You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
+You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
->[!WARNING]
->This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+> [!WARNING]
+> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
-Rule description | GUID
--|:-:|-
+Rule description | GUID
+-|-|-
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
@@ -62,19 +62,19 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
+Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
-See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
### Use Group Policy to exclude files and folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folders
@@ -85,10 +85,10 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "
As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits with Windows Defender](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index b346df9a75..80c8e25156 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -18,7 +19,7 @@ manager: dansimp
# Enable attack surface reduction rules
-[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
+[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
Each ASR rule contains three settings:
@@ -30,11 +31,11 @@ To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We r
You can enable attack surface reduction rules by using any of these methods:
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
@@ -42,20 +43,20 @@ Enterprise-level management such as Intune or SCCM is recommended. Enterprise-le
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
->[!WARNING]
->Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
->
->If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
->[!IMPORTANT]
->File and folder exclusions do not apply to the following ASR rules:
+> [!WARNING]
+> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
>
->- Block process creations originating from PSExec and WMI commands
->- Block JavaScript or VBScript from launching downloaded executable content
+> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
+
+> [!IMPORTANT]
+> File and folder exclusions do not apply to the following ASR rules:
+>
+> * Block process creations originating from PSExec and WMI commands
+> * Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
@@ -66,8 +67,8 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
-
- *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
+
+ *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
@@ -75,7 +76,7 @@ The following procedures for enabling ASR rules include instructions for how to
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
@@ -83,9 +84,9 @@ Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A776
The values to enable, disable, or enable in audit mode are:
-- Disable = 0
-- Block (enable ASR rule) = 1
-- Audit = 2
+* Disable = 0
+* Block (enable ASR rule) = 1
+* Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
@@ -95,8 +96,8 @@ OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExc
Value: c:\path|e:\path|c:\Whitelisted.exe
->[!NOTE]
->Be sure to enter OMA-URI values without spaces.
+> [!NOTE]
+> Be sure to enter OMA-URI values without spaces.
## SCCM
@@ -105,12 +106,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
1. Choose which rules will block or audit actions and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
## Group Policy
->[!WARNING]
->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
+> [!WARNING]
+> If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -119,15 +120,17 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
- - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- - Disable = 0
- - Block (enable ASR rule) = 1
- - Audit = 2
- 
+ * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+
+ * Disable = 0
+ * Block (enable ASR rule) = 1
+ * Audit = 2
+
+ 
+
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-
## PowerShell
>[!WARNING]
@@ -141,32 +144,32 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
Set-MpPreference -AttackSurfaceReductionRules_Ids
- For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti.md#learn-how-to-get-a-new-client-secret).
-
-4. Select **Generate tokens** to get an access and refresh token.
-
-You’ll need to use the access token in the Authorization header when doing REST API calls.
-
-## Related topics
-- [Understand threat intelligence concepts](threat-indicator-concepts.md)
-- [Create custom alerts using the threat intelligence API](custom-ti-api.md)
-- [PowerShell code examples for the custom threat intelligence API](powershell-example-code.md)
-- [Python code examples for the custom threat intelligence API](python-example-code.md)
-- [Experiment with custom threat intelligence alerts](experiment-custom-ti.md)
-- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index e3fd820ba9..76bada624f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/09/2019
@@ -20,93 +21,93 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
+[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
-Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
+Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
-They are configured by default in Windows 10.
+They are configured by default in Windows 10.
-You can set each mitigation to on, off, or to its default value.
+You can set each mitigation to on, off, or to its default value.
Some mitigations have additional options.
-You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
+You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
## Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-5. Repeat this for all the apps and mitigations you want to configure.
+5. Repeat this for all the apps and mitigations you want to configure.
-3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+ * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
-5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
Enabled in **Program settings** | Enabled in **System settings** | Behavior
-:-: | :-: | :-:
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
+-|-|-
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
+
+**Example 1**
-**Example 1**
-
Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
-
+
The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
**Example 2**
Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
-Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
-The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
+The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
CFG will be enabled for *miles.exe*.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
@@ -116,11 +117,11 @@ CFG will be enabled for *miles.exe*.
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
+ 
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
- 
-1. Click **OK** to save each open blade and click **Create**.
+ 
+1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@@ -134,50 +135,51 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
1. Enter a name and a description, click **Exploit protection**, and click **Next**.
1. Browse to the location of the exploit protection XML file and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
## Group Policy
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-6. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
## PowerShell
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
-Get-ProcessMitigation -Name processName.exe
+Get-ProcessMitigation -Name processName.exe
```
->[!IMPORTANT]
->System-level mitigations that have not been configured will show a status of `NOTSET`.
+> [!IMPORTANT]
+> System-level mitigations that have not been configured will show a status of `NOTSET`.
>
->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
+> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
>
->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
+> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
->The default setting for each system-level mitigation can be seen in the Windows Security.
+> The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation -
- If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
+ If you want to connect directly to the detections REST API through programmatic access, choose **Generic API**.
4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
@@ -64,14 +67,14 @@ Enable security information and event management (SIEM) integration so you can p
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
-You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Microsoft Defender Security Center.
+You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
## Integrate Microsoft Defender ATP with IBM QRadar
-You can configure IBM QRadar to collect alerts from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
+You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
## Related topics
-- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
-- [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
-- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index 1939474a15..ee4f4e583c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -19,25 +19,30 @@ ms.topic: conceptual
---
# Evaluate Microsoft Defender ATP
+
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
-You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp).
+You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/WindowsForBusiness/windows-atp).
-You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions.
+You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions.
## Evaluate attack surface reduction
+
These capabilities help prevent attacks and exploitations from infecting your organization.
-- [Evaluate attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-- [Evaluate exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate network protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+
+- [Evaluate attack surface reduction](./evaluate-attack-surface-reduction.md)
+- [Evaluate exploit protection](./evaluate-exploit-protection.md)
+- [Evaluate network protection](./evaluate-exploit-protection.md)
+- [Evaluate controlled folder access](./evaluate-controlled-folder-access.md)
- [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
## Evaluate next generation protection
+
Next gen protections help detect and block the latest threats.
+
- [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
-
## See Also
+
[Get started with Microsoft Defender Advanced Threat Protection](get-started.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 145da203d5..271622f774 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -20,14 +21,14 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
@@ -43,42 +44,27 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
This enables all attack surface reduction rules in audit mode.
->[!TIP]
->If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
## Review attack surface reduction events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
-
-| Event ID | Description |
-|----------|-------------|
-|5007 | Event when settings are changed |
-| 1121 | Event when an attack surface reduction rule fires in block mode |
-| 1122 | Event when an attack surface reduction rule fires in audit mode |
+ Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1121 | Event when an attack surface reduction rule fires in block mode
+ 1122 | Event when an attack surface reduction rule fires in audit mode
## Customize attack surface reduction rules
-During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
+During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.
See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
similarity index 61%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index 08d11df095..5f8fc8a0da 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 11/16/2018
@@ -20,16 +21,16 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
@@ -43,27 +44,28 @@ To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -EnableControlledFolderAccess AuditMode
```
->[!TIP]
->If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
-| Event ID | Description |
-| --- | --- |
-| 5007 | Event when settings are changed |
-| 1124 | Audited controlled folder access event |
-| 1123 | Blocked controlled folder access event |
+Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1124 | Audited controlled folder access event
+ 1123 | Blocked controlled folder access event
## Customize protected folders and apps
-During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
+During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode](audit-windows-defender-exploit-guard.md)
+
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md)
+* [Use audit mode](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
similarity index 55%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index 61220879a8..4d70c50373 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -20,75 +21,74 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices.
+[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices.
It consists of a number of mitigations that can be applied to either the operating system or an individual app.
-Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
+Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
-This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
+This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
## Enable exploit protection in audit mode
-You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
+You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
### Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
### PowerShell
-To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
+To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
Configure each mitigation in the following format:
-
```PowerShell
Set-ProcessMitigation -
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 6d064aed64..8c3bd67aa8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -21,7 +21,7 @@ ms.topic: article
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
This page describes how to create an application to get programmatic access to Microsoft Defender ATP on behalf of a user.
@@ -62,29 +62,29 @@ This page explains how to create an AAD application, get an access token to Micr
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission:
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
+ - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
- - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+ - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- 
+ 
- - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
+ - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
- 
+ 
- - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
+ - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
- For instance,
+ For instance,
- - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
- - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+ - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+ - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
+ - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
- - Click **Grant consent**
+ - Click **Grant consent**
- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
+ **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
- 
+ 
6. Write down your application ID and your tenant ID:
@@ -102,42 +102,42 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
- Copy/Paste the below class in your application.
- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
- ```
- namespace WindowsDefenderATP
- {
- using System.Net.Http;
- using System.Text;
- using System.Threading.Tasks;
- using Newtonsoft.Json.Linq;
+ ```csharp
+ namespace WindowsDefenderATP
+ {
+ using System.Net.Http;
+ using System.Text;
+ using System.Threading.Tasks;
+ using Newtonsoft.Json.Linq;
- public static class WindowsDefenderATPUtils
- {
- private const string Authority = "https://login.windows.net";
+ public static class WindowsDefenderATPUtils
+ {
+ private const string Authority = "https://login.windows.net";
- private const string WdatpResourceId = "https://api.securitycenter.windows.com";
+ private const string WdatpResourceId = "https://api.securitycenter.windows.com";
- public static async Task
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR) insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing threat resilience.
-
-**Attack surface reduction**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-
-**Next generation protection**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
-
-**Endpoint detection and response**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
-
-**Auto investigation and remediation**
-In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-
-**Secure score**
-Microsoft Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
-
-**Microsoft Threat Experts**
-Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-
-**Advanced hunting**
-Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center.
-
-**Management and APIs**
-Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
-
-**Microsoft threat protection**
-Bring the power of Microsoft Threat Protection to your organization.
-
-## In this section
-Topic | Description
-:---|:---
-[Minimum requirements](minimum-requirements.md) | Learn about the requirements for onboarding machines to the platform.
-[Validate licensing and complete setup](licensing.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time.
-[Preview features](preview.md) | Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
-[Data storage and privacy](data-storage-privacy.md) | Explains the data storage and privacy details related to Microsoft Defender ATP.
-[Assign user access to the portal](assign-portal-access.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC).
-[Evaluate Microsoft Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Microsoft Defender ATP and test features out.
-[Access the Microsoft Defender Security Center Community Center](community.md) | The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index 2b5551a0bb..92bc4c7650 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
GET /api/users/{id}/alerts
```
-**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) **
+**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)**
## Request headers
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index 341c605bbb..ca042a7e99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
GET /api/users/{id}/machines
```
-**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) **
+**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)**
## Request headers
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD.png b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD.png
new file mode 100644
index 0000000000..2bd08bd9fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_Menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_Menu.png
new file mode 100644
index 0000000000..455de5a2ab
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_Menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_alerts.png b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_alerts.png
new file mode 100644
index 0000000000..895a4973e6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_alerts.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_file.png b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_file.png
new file mode 100644
index 0000000000..ec891e1e3a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_machines.png
new file mode 100644
index 0000000000..5d227c08c3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/MTE_EOD_machines.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png
index 41faa16718..b3cb1854b9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/action-center-package-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-package-collection.png
index fdfa3bde36..a8f70701e2 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/action-center-package-collection.png and b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-package-collection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png
new file mode 100644
index 0000000000..69836b943c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-0.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-0.png
new file mode 100644
index 0000000000..7cbc10748b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-1.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-1.png
new file mode 100644
index 0000000000..07d00ddf20
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-2.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-2.PNG
new file mode 100644
index 0000000000..3afdf8262b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-2.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-3.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-3.PNG
new file mode 100644
index 0000000000..1db4fe594a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-3.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-4.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-4.PNG
new file mode 100644
index 0000000000..857188379d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-4.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-5.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-5.PNG
new file mode 100644
index 0000000000..9c85162428
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/api-flow-5.PNG differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png
new file mode 100644
index 0000000000..2f027e9054
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png
new file mode 100644
index 0000000000..741770b06a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png
new file mode 100644
index 0000000000..615e107f78
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png
new file mode 100644
index 0000000000..fb441257c0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png
new file mode 100644
index 0000000000..e57b9d3fe4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png
new file mode 100644
index 0000000000..25b0fe742a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png
new file mode 100644
index 0000000000..714a61e399
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png
new file mode 100644
index 0000000000..13d572f10f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png
new file mode 100644
index 0000000000..3d274ebf9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png
new file mode 100644
index 0000000000..01ad9116f0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png
new file mode 100644
index 0000000000..647008af7d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png
new file mode 100644
index 0000000000..68eb6483c1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png
new file mode 100644
index 0000000000..71e3aa0e9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png
new file mode 100644
index 0000000000..2c04ad2fc8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png
new file mode 100644
index 0000000000..a7096ee4aa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png
new file mode 100644
index 0000000000..862c5ffbd7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png
new file mode 100644
index 0000000000..895a4973e6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-file.png
new file mode 100644
index 0000000000..ec891e1e3a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png
new file mode 100644
index 0000000000..5d227c08c3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-menu.png
new file mode 100644
index 0000000000..455de5a2ab
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-menu.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png
new file mode 100644
index 0000000000..2bd08bd9fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png
new file mode 100644
index 0000000000..7d64c71ac8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png
new file mode 100644
index 0000000000..3a2b7563bf
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png
new file mode 100644
index 0000000000..2c6069ab3d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png
new file mode 100644
index 0000000000..6931f21e5a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png
deleted file mode 100644
index b94ee3a009..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png
new file mode 100644
index 0000000000..43a41fbd3b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/response-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/response-actions.png
index 87108d3e72..29dbc99425 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/response-actions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/response-actions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png
new file mode 100644
index 0000000000..570609f803
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png
new file mode 100644
index 0000000000..f4f0bca971
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png
new file mode 100644
index 0000000000..7d83e1545d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machines_discoveredvuln.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machines_discoveredvuln.png
new file mode 100644
index 0000000000..08e0e2f831
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machines_discoveredvuln.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png
new file mode 100644
index 0000000000..ea9e800b94
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png
new file mode 100644
index 0000000000..864dff2f13
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy.png
new file mode 100644
index 0000000000..4b1c91c9e4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_software.png
new file mode 100644
index 0000000000..6589185f64
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_software.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwarecolon.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwarecolon.png
new file mode 100644
index 0000000000..eb0c4314c7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwarecolon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareflyout.png
new file mode 100644
index 0000000000..0b72121e67
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareflyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareoptions.png
new file mode 100644
index 0000000000..8f61d18462
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareoptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vuln.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vuln.png
new file mode 100644
index 0000000000..08c0a00cc9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vuln.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnflyout.png
new file mode 100644
index 0000000000..cae0239957
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnflyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png
new file mode 100644
index 0000000000..cf9f274980
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png
new file mode 100644
index 0000000000..9af2ad6945
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyoptions.png
new file mode 100644
index 0000000000..09c4876e1d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyoptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_weaknesses_machinepage.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_weaknesses_machinepage.png
new file mode 100644
index 0000000000..5c56b70612
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_weaknesses_machinepage.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
similarity index 61%
rename from windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
rename to windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index 676188aa12..c46302a04f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/30/2018
@@ -20,13 +21,11 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
@@ -34,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
## Create and export a configuration file
@@ -50,14 +49,14 @@ When you have configured exploit protection to your desired state (including bot
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
- 
-
+ 
+
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
-
+
->[!NOTE]
->When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+> [!NOTE]
+> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
### Use PowerShell to export a configuration file
@@ -65,7 +64,7 @@ When you have configured exploit protection to your desired state (including bot
2. Enter the following cmdlet:
```PowerShell
- Get-ProcessMitigation -RegistryConfigFilePath filename.xml
+ Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
Change `filename` to any name or location of your choosing.
@@ -74,7 +73,7 @@ Example command
**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
## Import a configuration file
@@ -84,12 +83,11 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
-
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
- Set-ProcessMitigation -PolicyFilePath filename.xml
+ Set-ProcessMitigation -PolicyFilePath filename.xml
```
Change `filename` to the location and name of the exploit protection XML file.
@@ -97,11 +95,9 @@ Change `filename` to the location and name of the exploit protection XML file.
Example command
**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
-
->[!IMPORTANT]
+> [!IMPORTANT]
>
->Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-
+> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
## Convert an EMET configuration file to an exploit protection configuration file
@@ -109,14 +105,13 @@ You can convert an existing EMET configuration file to the new format used by ex
You can only do this conversion in PowerShell.
->[!WARNING]
+> [!WARNING]
>
->You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
+> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
>
->However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
+> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
>
->You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-
+> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@@ -127,46 +122,45 @@ You can only do this conversion in PowerShell.
Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
->[!IMPORTANT]
+> [!IMPORTANT]
>
->If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
+> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
>
> 1. Open the PowerShell-converted XML file in a text editor.
> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
-
## Manage or deploy a configuration
You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
> [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
### Use Group Policy to distribute the configuration
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
- 
+ 
-6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
+4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
-7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
- - C:\MitigationSettings\Config.XML
- - \\\Server\Share\Config.xml
- - https://localhost:8080/Config.xml
- - C:\ExploitConfigfile.xml
+5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
-8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+ * C:\MitigationSettings\Config.XML
+ * \\\Server\Share\Config.xml
+ * https://localhost:8080/Config.xml
+ * C:\ExploitConfigfile.xml
+6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md
deleted file mode 100644
index 3defa8692a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/incidents-queue.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Incidents queue in Microsoft Defender ATP
-description:
-keywords: incidents, aggregate, investigations, queue, ttp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Incidents in Microsoft Defender ATP
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Microsoft Defender ATP will quickly trigger alerts and launch matching automatic investigations.
-
-Microsoft Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
-
-
-## In this section
-
-Topic | Description
-:---|:---
-[View and organize the Incidents queue](view-incidents-queue.md)| See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
-[Manage incidents](manage-incidents.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
-[Investigate incidents](investigate-incidents.md)| See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index ee65c7302f..dcc141f161 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -45,8 +45,8 @@ Sensitivity labels classify and help protect sensitive content.
Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
-- Default
-- Custom
+- Default
+- Custom
Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
index f7bcff5265..7578bad95e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
@@ -57,9 +57,6 @@ Learn how to use data sensitivity labels to prioritize incident investigation.
->[!NOTE]
-> The event side pane now provides additional insight to the WIP and AIP protection status.
-
>[!TIP]
>These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index 11e43b707c..fc412ef07c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -26,7 +26,7 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
index 18d267c4cd..583366232a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
index 8268c3ce96..e352bb1469 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
@@ -26,7 +26,7 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
index 6cb6750c1c..94d19a39d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@@ -26,7 +26,7 @@ ms.date: 04/24/2018
[!include[Prerelease information](prerelease.md)]
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
@@ -52,6 +52,7 @@ Along the top of the profile page, above the file information cards. Actions you
- Stop and quarantine
- Add/edit indicator
- Download file
+- Consult a threat expert
- Action center
For more information on these actions, see [Take response action on a file](respond-file-alerts.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
index 4f3711af17..08fee8aed4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
@@ -24,7 +24,7 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
Examine possible communication between your machines and external internet protocol (IP) addresses.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index c79fa83c94..75a98adc36 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
@@ -60,6 +60,7 @@ Response actions run along the top of a specific machine page and include:
- Run antivirus scan
- Restrict app execution
- Isolate machine
+- Consult a threat expert
- Action center
You can take response actions in the Action center, in a specific machine page, or in a specific file page.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
index 4ef33de1cf..ed90aafde4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
@@ -23,7 +23,7 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
## Investigate user account entities
diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md
deleted file mode 100644
index 408e800158..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Is domain seen in org API
-description: Use this API to create calls related to checking whether a domain was seen in the organization.
-keywords: apis, graph api, supported apis, domain, domain seen
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Was domain seen in org
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Answers whether a domain was seen in the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Url.Read.All | 'Read URLs'
-Delegated (work or school account) | URL.Read.All | 'Read URLs'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/domains/{domain}
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/domains/example.com
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity",
- "host": "example.com"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md
deleted file mode 100644
index 3239831649..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Is IP seen in org API
-description: Answers whether an IP was seen in the organization.
-keywords: apis, graph api, supported apis, is, ip, seen, org, organization
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Was IP seen in org
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Answers whether an IP was seen in the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ip.Read.All | 'Read IP address profiles'
-Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/ips/{ip}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/ips/10.209.67.177
-```
-
-**Response**
-
-Here is an example of the response.
-
-[!include[Improve request performance](improve-request-performance.md)]
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity",
- "id": "10.209.67.177"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index 095c078b1f..9747f2d0ae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -61,8 +61,8 @@ Comment | String | Comment to associate with the action. **Required**.
IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'.
**IsolationType** controls the type of isolation to perform and can be one of the following:
-- Full – Full isolation
-- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details)
+- Full – Full isolation
+- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details)
## Response
diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
index 105fc8bd52..3b8b796791 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
@@ -24,7 +24,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
## Check license state
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index d3ed3224e5..151cc9a4d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -22,8 +22,6 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
-
Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
index 6dff3ffaae..c9543f40e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
@@ -67,7 +67,8 @@ Machines with similar tags can be handy when you need to apply contextual action
Use the following registry key entry to add a tag on a machine:
- Registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
-- Registry key value (string): Group
+- Registry key name: `Group`
+- Registry key value (REG_SZ): `Name of the tag you want to set`
>[!NOTE]
>The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
index fe12e8ee4e..eb66c2d069 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
@@ -2,7 +2,7 @@
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
---
>[!Note]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
index 788a106f59..e526c0bead 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
The **Machines list** shows a list of the machines in your network where alerts were generated. By default, the queue displays machines with alerts seen in the last 30 days.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index 3113e4b4f9..92f89df9a7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
@@ -36,7 +36,7 @@ Selecting an alert in either of those places brings up the **Alert management pa
You can create a new incident from the alert or link to an existing incident.
## Assign alerts
-If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself.
+If an alert is not yet assigned, you can select **Assign to me** to assign the alert to yourself.
## Suppress alerts
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md
deleted file mode 100644
index c852df752c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-allowed-blocked-list.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Manage allowed/blocked lists
-description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
-keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Manage allowed/blocked lists
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-
-Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
-
-On the top navigation you can:
-- Import a list
-- Add an indicator
-- Customize columns to add or remove columns
-- Export the entire list in CSV format
-- Select the items to show per page
-- Navigate between pages
-- Apply filters
-
-## Create an indicator
-1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
-
-2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities:
- - File hash
- - IP address
- - URLs/Domains
-
-3. Click **Add indicator**.
-
-4. For each attribute specify the following details:
- - Indicator - Specify the entity details and define the expiration of the indicator.
- - Action - Specify the action to be taken and provide a description.
- - Scope - Define the scope of the machine group.
-
-5. Review the details in the Summary tab, then click **Save**.
-
-
->[!NOTE]
->Blocking IPs, domains, or URLs is currently available on limited preview only.
->This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon.
->As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.
-
-
-## Manage indicators
-1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
-
-2. Select the tab of the entity type you'd like to manage.
-
-3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
-
-## Import a list
-You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
-
-Download the sample CSV to know the supported column attributes.
-
-
-## Related topics
-- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md
deleted file mode 100644
index b30f739163..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Manage automation allowed/blocked lists
-description: Create lists that control what items are automatically blocked or allowed during an automatic investigation.
-keywords: manage, automation, whitelist, blacklist, block, clean, malicious
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Manage automation allowed/blocked lists
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-Create a rule to control which entities are automatically incriminated or exonerated during Automated investigations.
-
-Entities added to the allowed list are considered safe and will not be analyzed during Automated investigations.
-
-Entities added to the blocked list are considered malicious and will be remediated during Automated investigations.
-
-You can define the conditions for when entities are identified as malicious or safe based on certain attributes such as hash values or certificates.
-
-## Create an allowed or blocked list
-1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
-
-2. Select the tab of the type of entity you'd like to create an exclusion for. Currently, you can add a rule for certificates.
-
-3. Select **Add allowed/blocked list rule**.
-
-4. For each attribute specify the exclusion type, details, and their corresponding required values.
-
-5. Click **Add rule**.
-
-## Edit a list
-1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
-
-2. Select the tab of the entity type you'd like to edit the list from.
-
-3. Update the details of the rule and click **Update rule**.
-
-## Delete a list
-1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
-
-2. Select the tab of the entity type you'd like to delete the list from.
-
-3. Select the list type by clicking the check-box beside the list type.
-
-4. Click **Delete**.
-
-
-## Related topics
-- [Manage automation file uploads](manage-automation-file-uploads.md)
-- [Manage indicators](manage-indicators.md)
-- [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
index cdf8cabeb1..7268e93b7a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
@@ -26,7 +26,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
index 2ff51aee05..e05d6ca55c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
@@ -26,7 +26,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
index 1dc3f9be1f..2e124ba8aa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index dce7f4aaf2..f0cf3d6772 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -1,4 +1,4 @@
----
+---
title: Manage indicators
ms.reviewer:
description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -23,32 +23,121 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+[!include[Prerelease information](prerelease.md)]
+
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
+
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
-On the top navigation you can:
+Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Windows Defender AV).
-- Import a list
-- Add an indicator
-- Customize columns to add or remove columns
-- Export the entire list in CSV format
-- Select the items to show per page
-- Navigate between pages
-- Apply filters
+**Cloud detection engine**
+The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.
-## Create an indicator
+**Endpoint prevention engine**
+The same list of indicators is honored by the prevention agent. Meaning, if Windows Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Windows Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Windows Defender AV will not detect nor block the file from being run.
+
+**Automated investigation and remediation engine**
+The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".
+
+
+The current supported actions are:
+- Allow
+- Alert only
+- Alert and block
+
+
+You can create an indicator for:
+- Files
+- IP addresses
+- URLs/domains
+
+>[!NOTE]
+>There is a limit of 5000 indicators per tenant.
+
+
+
+
+
+## Create indicators for files
+You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
+
+There are two ways you can create indicators for files:
+- By creating an indicator through the settings page
+- By creating a contextual indicator using the add indicator button from the file details page
+
+### Before you begin
+It's important to understand the following prerequisites prior to creating indicators for files:
+- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+- The Antimalware client version must be 4.18.1901.x or later.
+- Supported on machines on Windows 10, version 1703 or later.
+- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
+- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
+
+>[!IMPORTANT]
+>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
+>- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
+>- The PE file needs to be in the machine timeline for you to be able to take this action.
+
+
+>[!NOTE]
+>There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
+
+### Create an indicator for files from the settings page
1. In the navigation pane, select **Settings** > **Indicators**.
-2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities:
- - File hash
- - IP address
- - URLs/Domains
-
-3. Click **Add indicator**.
+2. Select the **File hash** tab.
-4. For each attribute specify the following details:
+3. Select **Add indicator**.
+
+4. Specify the following details:
+ - Indicator - Specify the entity details and define the expiration of the indicator.
+ - Action - Specify the action to be taken and provide a description.
+ - Scope - Define the scope of the machine group.
+
+5. Review the details in the Summary tab, then click **Save**.
+
+### Create a contextual indicator from the file details page
+One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file.
+
+When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
+
+Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
+
+
+## Create indicators for IPs and URLs/domains (preview)
+Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs through SmartScreen for Microsoft browsers and Network Protection for non-Microsoft browsers and calls made outside the browser.
+
+The threat intelligence data set for this has been managed by Microsoft.
+
+By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
+
+### Before you begin
+It's important to understand the following prerequisites prior to creating indicators for IPS, URLs or domains:
+- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Protect your network](network-protection.md).
+- The Antimalware client version must be 4.18.1906.x or later.
+- Supported on machines on Windows 10, version 1709 or later.
+- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
+
+
+>[!IMPORTANT]
+> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
+
+>[!NOTE]
+>There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked.
+
+### Create an indicator for IPs, URLs or domains from the settings page
+
+1. In the navigation pane, select **Settings** > **Indicators**.
+
+2. Select the **IP addresses or URLs/Domains** tab.
+
+3. Select **Add indicator**.
+
+4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the machine group.
@@ -56,10 +145,6 @@ On the top navigation you can:
5. Review the details in the Summary tab, then click **Save**.
->[!NOTE]
->Blocking IPs, domains, or URLs is currently available on limited preview only.
->This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon.
->As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.
## Manage indicators
@@ -69,12 +154,14 @@ On the top navigation you can:
3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
-## Import a list
+## Import a list of IoCs
You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
Download the sample CSV to know the supported column attributes.
## Related topic
+- [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
+- [Use the Microsoft Defender ATP indicators API](ti-indicator.md)
+- [Use partner integrated solutions](partner-applications.md)
-- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index 25c32174b9..d6f7f0fecf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -23,7 +23,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink)
Microsoft Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
@@ -52,7 +52,6 @@ An important aspect of machine management is the ability to analyze the environm
Topic | Description
:---|:---
Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts.
-Supported Microsoft Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
Managed security service provider | Get a quick overview on managed security service provider support.
@@ -61,7 +60,7 @@ Managed security service provider | Get a quick overview on managed security ser
## Related topics
- [Onboard machines](onboard-configure.md)
- [Enable the custom threat intelligence application](enable-custom-ti.md)
-- [Microsoft Defender ATP Public API](use-apis.md)
+- [Microsoft Defender ATP Public API](apis-intro.md)
- [Pull alerts to your SIEM tools](configure-siem.md)
- [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Role-based access control](rbac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
index 5f0af03683..b5bb4b00fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
index 352d6289b9..d7197b2574 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index 70561d13b0..da64a631d7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -19,9 +19,9 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink)
>
->For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
+> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
@@ -66,9 +66,9 @@ Microsoft Defender ATP uses the following combination of technology built into W
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
+> [!TIP]
+> - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
@@ -78,7 +78,7 @@ This built-in capability uses a game-changing risk-based approach to the discove
**[Attack surface reduction](overview-attack-surface-reduction.md)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
@@ -99,7 +99,7 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
**[Secure score](overview-secure-score.md)**
->[!NOTE]
+> [!NOTE]
> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
@@ -127,7 +127,7 @@ To help you maximize the effectiveness of the security platform, you can configu
Topic | Description
:---|:---
[Overview](overview.md) | Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform.
-[Get started](get-started.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Microsoft Defender ATP.
+[Minimum requirements](minimum-requirements.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Microsoft Defender ATP.
[Configure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Microsoft Defender ATP.
[Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) | Learn how to address issues that you might encounter while using the platform.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index bb96ea1b7e..71b44a53e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -1,15 +1,15 @@
---
title: Microsoft Threat Experts
ms.reviewer:
-description: Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-keywords: managed threat hunting service, managed threat hunting, MTE, Microsoft Threat Experts
+description: Microsoft Threat Experts is the new managed detection and response (MDR) service in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
+keywords: managed threat hunting service, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts
search.product: Windows 10
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -24,8 +24,7 @@ ms.topic: conceptual
[!include[Prerelease information](prerelease.md)]
-
-Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
+Microsoft Threat Experts is a managed detection and response (MDR) service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
@@ -36,9 +35,9 @@ Microsoft Threat Experts provides proactive hunting for the most important threa
- Identifying the most important risks, helping SOCs maximize time and energy
- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.
-## Collaborate with experts, on demand
+## Collaborate with experts, on demand
>[!NOTE]
->The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved.
+>The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved.
Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
@@ -47,6 +46,19 @@ Customers can engage our security experts directly from within Microsoft Defende
- Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
- Seamlessly transition to Microsoft Incident Response (IR) or other third-party Incident Response services when necessary
+The option to **Consult a threat expert** is available in several places in the portal so you can engage with experts in the context of your investigation:
+
+- **Help and support menu**
+
+
+- **Machine page actions menu**
+
+
+- **Alerts page actions menu**
+
+
+- **File page actions menu**
+
## Related topic
- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index ba54f650be..bf702f03ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
>[!TIP]
@@ -38,7 +38,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Windows 10 Education E5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
-For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare).
+For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
index 35519d3909..c9a4eb35da 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index e4fccb655d..eb4b64456b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/30/2019
@@ -20,40 +21,40 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported beginning with Windows 10, version 1709.
->[!TIP]
->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled.
+You can also use [audit mode](audit-windows-defender.md) to evaluate how Network protection would impact your organization if it were enabled.
## Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
Windows 10 version | Windows Defender Antivirus
-- | -
+-|-
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## Review network protection events in the Microsoft Defender ATP Security Center
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
-Here is an example query
+Here is an example query
-```
+```PowerShell
MiscEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
```
@@ -62,7 +63,7 @@ MiscEvents
You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
-1. [Copy the XML directly](event-views-exploit-guard.md).
+1. [Copy the XML directly](event-views.md).
2. Click **OK**.
@@ -71,12 +72,10 @@ You can review the Windows event log to see events that are created when network
Event ID | Description
-|-
5007 | Event when settings are changed
- 1125 | Event when network protection fires in audit mode
- 1126 | Event when network protection fires in block mode
+ 1125 | Event when network protection fires in audit mode
+ 1126 | Event when network protection fires in block mode
- ## Related topics
+## Related topics
-Topic | Description
----|---
[Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
[Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
index 66a4fdedf6..06e453c687 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
@@ -27,18 +27,18 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink)
Follow the corresponding instructions depending on your preferred deployment method.
## Offboard Windows 10 machines
- - [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script)
- - [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy)
- - [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
- - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
+- [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script)
+- [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy)
+- [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
+- [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
## Offboard Servers
- - [Offboard servers](configure-server-endpoints.md#offboard-servers)
+- [Offboard servers](configure-server-endpoints.md#offboard-servers)
## Offboard non-Windows machines
- - [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines)
+- [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
similarity index 95%
rename from windows/security/threat-protection/microsoft-defender-atp/oldTOC.md
rename to windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index 35d03646ca..9dd1998f62 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -27,10 +27,10 @@
#### [Application control]()
##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
-#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md)
+#### [Network protection](../windows-defender-exploit-guard/network-protection.md)
+#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md)
+#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md)
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
@@ -196,8 +196,8 @@
#### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
#### [Controlled folder access]()
-##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
-##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
+##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md)
+##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders.md)
#### [Attack surface reduction controls]()
##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
@@ -392,7 +392,6 @@
####### [Get domain related alerts](get-domain-related-alerts.md)
####### [Get domain related machines](get-domain-related-machines.md)
####### [Get domain statistics](get-domain-statistics.md)
-####### [Is domain seen in organization](is-domain-seen-in-org.md)
###### [File]()
####### [Methods and properties](files.md)
@@ -403,9 +402,7 @@
###### [IP]()
####### [Get IP related alerts](get-ip-related-alerts.md)
-####### [Get IP related machines](get-ip-related-machines.md)
####### [Get IP statistics](get-ip-statistics.md)
-####### [Is IP seen in organization](is-ip-seen-org.md)
###### [User]()
####### [Methods](user.md)
@@ -413,15 +410,10 @@
####### [Get user related machines](get-user-related-machines.md)
##### [How to use APIs - Samples]()
-###### [Advanced Hunting API]()
-####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
-####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
-####### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
-####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
-
-###### [Multiple APIs]()
-####### [PowerShell](exposed-apis-full-sample-powershell.md)
-
+###### [Microsoft Flow](api-microsoft-flow.md)
+###### [Power BI](api-power-bi.md)
+###### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
###### [Using OData Queries](exposed-apis-odata-samples.md)
#### [API for custom alerts]()
@@ -433,13 +425,13 @@
##### [Experiment with custom threat intelligence alerts](experiment-custom-ti.md)
##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md)
-#### [Pull alerts to your SIEM tools]()
-##### [Learn about different ways to pull alerts](configure-siem.md)
+#### [Pull Detections to your SIEM tools]()
+##### [Learn about different ways to pull Detections](configure-siem.md)
##### [Enable SIEM integration](enable-siem-integration.md)
-##### [Configure Splunk to pull alerts](configure-splunk.md)
-##### [Configure HP ArcSight to pull alerts](configure-arcsight.md)
-##### [Microsoft Defender ATP SIEM alert API fields](api-portal-mapping.md)
-##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api.md)
+##### [Configure Splunk to pull Detections](configure-splunk.md)
+##### [Configure HP ArcSight to pull Detections](configure-arcsight.md)
+##### [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
+##### [Pull Detections using SIEM REST API](pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
#### [Reporting]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
index e6720fb5ed..52819cd05d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
[!include[Prerelease information](prerelease.md)]
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
You'll need to go the onboarding section of the Microsoft Defender ATP portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
@@ -46,7 +46,7 @@ Topic | Description
[Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Troubleshoot onboarding issues](troubleshoot-onboarding.md) | Learn about resolving issues that might arise during onboarding.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 1d8fa91df1..48502bca90 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -28,7 +28,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink)
Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
@@ -64,7 +64,7 @@ Review the following details to verify minimum system requirements:
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-- Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
+- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
@@ -112,7 +112,7 @@ Agent Resource | Ports
## Offboard client endpoints
To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Microsoft Defender ATP.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
index e520f70a7f..ff5e1ed7d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index f28db7412f..0d041b05e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
@@ -33,8 +33,8 @@ Topic | Description
[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
-Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP.
-Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
+[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
+[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
new file mode 100644
index 0000000000..ce96f68340
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
@@ -0,0 +1,199 @@
+---
+title: Create an onboarding or offboarding notification rule
+description: Get a notification when a local onboarding or offboarding script is used.
+keywords: onboarding, offboarding, local, script, notification, rule
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Create a notification rule when a local onboarding or offboarding script is used
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified.
+
+## Before you begin
+You'll need to have access to:
+ - Microsoft Flow (Flow Plan 1 at a minimum). For more information, see [Flow pricing page](https://flow.microsoft.com/pricing/).
+ - Azure Table or SharePoint List or Library / SQL DB
+
+## Create the notification flow
+
+1. In [flow.microsoft.com](https://flow.microsoft.com/).
+
+2. Navigate to **My flows > New > Scheduled - from blank**.
+
+ 
+
+
+3. Build a scheduled flow.
+ 1. Enter a flow name.
+ 2. Specify the start and time.
+ 3. Specify the frequency. For example, every 5 minutes.
+
+ 
+
+4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center machine(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
+
+ 
+
+
+5. Enter the following HTTP fields:
+
+ - Method: "GET" as a value to get the list of machines.
+ - URI: Enter `https://api.securitycenter.windows.com/api/machines`.
+ - Authentication: Select "Active Directory OAuth".
+ - Tenant: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
+ - Audience: `https://securitycenter.onmicrosoft.com/windowsatpservice\`
+ - Client ID: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Client ID value.
+ - Credential Type: Select "Secret".
+ - Secret: Sign-in to http://portal.azure.com and navigate tnd navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
+
+ 
+
+
+6. Add a new step by selecting **Add new action** then search for **Data Operations** and select
+**Parse JSON**.
+
+ 
+
+7. Add Body in the **Content** field.
+
+ 
+
+8. Select the **Use sample payload to generate schema** link.
+
+ 
+
+9. Copy and paste the following JSON snippet:
+
+ ```
+ {
+ "type": "object",
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "value": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string"
+ },
+ "computerDnsName": {
+ "type": "string"
+ },
+ "firstSeen": {
+ "type": "string"
+ },
+ "lastSeen": {
+ "type": "string"
+ },
+ "osPlatform": {
+ "type": "string"
+ },
+ "osVersion": {},
+ "lastIpAddress": {
+ "type": "string"
+ },
+ "lastExternalIpAddress": {
+ "type": "string"
+ },
+ "agentVersion": {
+ "type": "string"
+ },
+ "osBuild": {
+ "type": "integer"
+ },
+ "healthStatus": {
+ "type": "string"
+ },
+ "riskScore": {
+ "type": "string"
+ },
+ "exposureScore": {
+ "type": "string"
+ },
+ "aadDeviceId": {},
+ "machineTags": {
+ "type": "array"
+ }
+ },
+ "required": [
+ "id",
+ "computerDnsName",
+ "firstSeen",
+ "lastSeen",
+ "osPlatform",
+ "osVersion",
+ "lastIpAddress",
+ "lastExternalIpAddress",
+ "agentVersion",
+ "osBuild",
+ "healthStatus",
+ "rbacGroupId",
+ "rbacGroupName",
+ "riskScore",
+ "exposureScore",
+ "aadDeviceId",
+ "machineTags"
+ ]
+ }
+ }
+ }
+ }
+
+ ```
+
+10. Extract the values from the JSON call and check if the onboarded machine(s) is / are already registered at the SharePoint list as an example:
+- If yes, no notification will be triggered
+- If no, will register the new onboarded machine(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin
+
+ 
+
+ 
+
+11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0.
+
+ 
+ 
+ 
+ 
+
+## Alert notification
+The following image is an example of an email notification.
+
+
+
+
+## Tips
+
+- You can filter here using lastSeen only:
+ - Every 60 min:
+ - Take all machines last seen in the past 7 days.
+
+- For each machine:
+ - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
+ - If first seen is on the past hour -> Alert for onboarding.
+
+In this solution you will not have duplicate alerts:
+There are tenants that have numerous machines. Getting all those machines might be very expensive and might require paging.
+
+You can split it to two queries:
+1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
+2. Take all machines last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 5de1f9d993..eeaaedc402 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -2,15 +2,15 @@
title: Overview of attack surface reduction
ms.reviewer:
description: Learn about the attack surface reduction capability in Microsoft Defender ATP
-keywords:
+keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender, antivirus, av, windows defender
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
-author: mjcaparas
+ms.author: deniseb
+author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -21,17 +21,16 @@ ms.topic: conceptual
# Overview of attack surface reduction
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in your organization from new and emerging threats.
-
-| Capability | Description |
-|------------|-------------|
-| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protects and maintains the integrity of the system as it starts and while it's running, and validates system integrity through local and remote attestation. In addition, container isolation for Microsoft Edge helps protect host operating system from malicious websites. |
-| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. |
-| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) | Applies exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV) |
-| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) | Extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. |
-| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. |
-| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) | reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV. |
-| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Host-based, two-way network traffic filtering that blocks unauthorized network traffic flowing into or out of the local device. |
+Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
+Article | Description
+-|-
+[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
+[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
+[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
+[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
+[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
+[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus)
+[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index d9d1de552d..9579771415 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
index 9065093f4d..8343dc2003 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
index 94b82c67e2..344d125399 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
@@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.author: mjcaparas
+ms.author: macapara
ms.date: 09/07/2018
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
index ccc8855e33..f08e397a67 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
@@ -21,8 +21,8 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+>[!NOTE]
+> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks.
The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
@@ -40,17 +40,17 @@ The **Secure score dashboard** displays a snapshot of:
## Microsoft secure score
-The Microsoft secure score tile is reflective of the sum of all the Microsoft Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
+The Microsoft secure score tile is reflective of the sum of all the security controls that are configured according to the recommended Windows baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
-Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
+Each Microsoft security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported Microsoft security controls (security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
-In the example image, the total points for the Windows security controls and Office 365 add up to 602 points.
+In the example image, the total points for the security controls and Office 365 add up to 602 points.
-You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md).
+You can set the baselines for calculating the security control scores on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md).
## Secure score over time
You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
@@ -79,11 +79,11 @@ Within the tile, you can click on each control to see the recommended optimizati
Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
-## Related topic
+## Related topic
- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
+- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md
index b2d8409667..e649152e6b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
index 89fd91c5ae..8dea2272e6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 84cf299759..a9df33b283 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index 53cae96485..c11e8a4597 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -22,12 +22,14 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!Note]
+>[!NOTE]
> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
- Submits or Updates new [Indicator](ti-indicator.md) entity.
+>[!NOTE]
+>There is a limit of 5000 indicators per tenant.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
@@ -116,3 +118,6 @@ Content-type: application/json
}
```
+
+## Related topic
+- [Manage indicators](manage-indicators.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
index ea8a219a7d..e5488e3ca6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
@@ -28,7 +28,7 @@ ms.topic: article
> [!TIP]
> Go to **Advanced features** in the **Settings** page to turn on the preview features.
>
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
Understand the security status of your organization, including the status of machines, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI.
@@ -202,7 +202,7 @@ In general, if you know of a specific threat name, CVE, or KB, you can identify
## Related topic
-- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
+- [Create custom Power BI reports](api-power-bi.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
index f61fc0625f..f6b61b0834 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
@@ -172,7 +172,7 @@ $ioc =
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
```
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-psexample-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-psexample-belowfoldlink)
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
index 8fe6ed0a0c..8254b7e5b3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
@@ -16,12 +16,13 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
+
# Configure Microsoft Defender Security Center settings
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
@@ -34,4 +35,3 @@ Permissions | Manage portal access using RBAC as well as machine groups.
APIs | Enable the threat intel and SIEM integration.
Rules | Configure suppressions rules and automation settings.
Machine management | Onboard and offboard machines.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
index a5949f146b..01d6034c12 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
@@ -2,7 +2,7 @@
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
-ms.author: mjcaparas
+ms.author: macapara
author: mjcaparas
---
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
index b92d9d416a..148fcc631d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
@@ -21,7 +21,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
Turn on the preview experience setting to be among the first to try upcoming features.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index a18bcddf2c..5d0cf9a4f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -42,15 +42,14 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
-- [Evaluation lab](evaluation-lab.md)
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
- focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
+- [Tamper Protection settings in Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-with-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune).
-- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
You can now onboard Windows Server 2008 R2 SP1.
+- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md)
You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.
+
+- [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
You can now allow or block URLs/domains using your own threat intelligence.
- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac)
Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.
-- [Live response](live-response.md)
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
-
- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.
@@ -71,4 +70,4 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr
- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index abf6c2fb00..4be1886be4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -1,7 +1,7 @@
---
-title: Pull Microsoft Defender ATP alerts using REST API
-description: Pull alerts from Microsoft Defender ATP REST API.
-keywords: alerts, pull alerts, rest api, request, response
+title: Pull Microsoft Defender ATP detections using REST API
+description: Pull detections from Microsoft Defender ATP REST API.
+keywords: detections, pull detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -17,16 +17,20 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Pull Microsoft Defender ATP alerts using SIEM REST API
+# Pull Microsoft Defender ATP detections using SIEM REST API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+
+Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
In general, the OAuth 2.0 protocol supports four types of flows:
- Authorization grant flow
@@ -36,19 +40,19 @@ In general, the OAuth 2.0 protocol supports four types of flows:
For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
-Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server.
+Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server.
The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
-Use the following method in the Microsoft Defender ATP API to pull alerts in JSON format.
+Use the following method in the Microsoft Defender ATP API to pull detections in JSON format.
>[!NOTE]
>Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering.
## Before you begin
-- Before calling the Microsoft Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
+- Before calling the Microsoft Defender ATP endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
- Application ID (unique to your application)
@@ -59,7 +63,7 @@ Use the following method in the Microsoft Defender ATP API to pull alerts in JSO
## Get an access token
Before creating calls to the endpoint, you'll need to get an access token.
-You'll use the access token to access the protected resource, which are alerts in Microsoft Defender ATP.
+You'll use the access token to access the protected resource, which are detections in Microsoft Defender ATP.
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
@@ -105,23 +109,23 @@ Use optional query parameters to specify and control the amount of data returned
Name | Value| Description
:---|:---|:---
-DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
-DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.
**NOTE**: When not specified, the default value will be the current time.
-string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
-int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
-machinegroups | String | Specifies machine groups to pull alerts from.
**NOTE**: When not specified, alerts from all machine groups will be retrieved.
Example:
```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
+sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
+untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.
**NOTE**: When not specified, the default value will be the current time.
+ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
+limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
+machinegroups | string | Specifies machine groups to pull alerts from.
**NOTE**: When not specified, alerts from all machine groups will be retrieved.
Example:
```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DeviceCreatedMachineTags | string | Single machine tag from the registry.
CloudCreatedMachineTags | string | Machine tags that were created in Microsoft Defender Security Center.
### Request example
-The following example demonstrates how to retrieve all the alerts in your organization.
+The following example demonstrates how to retrieve all the detections in your organization.
```syntax
GET https://wdatp-alertexporter-eu.windows.com/api/alerts
Authorization: Bearer
Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
## Microsoft Defender ATP tenant was automatically created in Europe
When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
similarity index 69%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index cfd19843a9..af397987a0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 03/27/2019
@@ -20,48 +21,50 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- IT administrators
+* IT administrators
-When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as:
+When you use [Network protection](network-protection.md) you may encounter issues, such as:
-- Network protection blocks a website that is safe (false positive)
-- Network protection fails to block a suspicious or known malicious website (false negative)
+* Network protection blocks a website that is safe (false positive)
+* Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
-3. Submit support logs
+4. Submit support logs
## Confirm prerequisites
Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
-> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
+> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> * [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
+> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+## Use audit mode
-## Use audit mode
-
-You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
+You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
1. Set network protection to **Audit mode**.
- ```powershell
+
+ ```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
-2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+
+1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
+
+1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
>
>If network protection is not blocking a connection that you are expecting it should block, enable the feature.
-```powershell
+```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
@@ -75,21 +78,24 @@ To whitelist the website that is being blocked (false positive), add its URL to
## Collect diagnostic data for file submissions
-When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
- ```
+
+ ```PowerShell
cd c:\program files\windows defender
```
-2. Run this command to generate the diagnostic logs:
- ```
+
+1. Run this command to generate the diagnostic logs:
+
+ ```PowerShell
mpcmdrun -getfiles
```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+
+1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-- [Enable network protection](enable-network-protection.md)
+* [Network protection](network-protection.md)
+* [Evaluate network protection](evaluate-network-protection.md)
+* [Enable network protection](enable-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
index 078fc9543d..f27f90ae22 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
@@ -24,7 +24,7 @@ ms.topic: troubleshooting
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender ATP service.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index f981d9c12a..24b7d6924e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -25,20 +25,22 @@ ms.topic: troubleshooting
- Windows Server 2016
-
You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines.
+
+## Troubleshoot issues with onboarding tools
+
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
-## Troubleshoot onboarding when deploying with Group Policy
+### Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not.
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
+### Troubleshoot onboarding issues when deploying with System Center Configuration Manager
When onboarding machines using the following versions of System Center Configuration Manager:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
@@ -52,7 +54,7 @@ If the deployment fails, you can check the output of the script on the machines.
If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
-## Troubleshoot onboarding when deploying with a script
+### Troubleshoot onboarding when deploying with a script
**Check the result of the script on the machine**:
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@@ -76,7 +78,7 @@ Event ID | Error Type | Resolution steps
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
65 | Insufficient privileges| Run the script again with administrator privileges.
-## Troubleshoot onboarding issues using Microsoft Intune
+### Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment.
@@ -296,14 +298,14 @@ You might also need to check the following:
## Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- - Windows 10 Enterprise E5
- - Windows 10 Education E5
- - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
+- Windows 10 Enterprise E5
+- Windows 10 Education E5
+- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
-For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
+For more information, see [Windows 10 Licensing](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx#tab=2).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
deleted file mode 100644
index 0cf451828c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: Troubleshoot Microsoft Defender Advanced Threat Protection capabilities
-description: Find solutions to issues on sensor state, service issues, or other Microsoft Defender ATP capabilities
-keywords: troubleshoot, sensor, state, service, issues, attack surface reduction, next generation protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: troubleshooting
----
-
-# Troubleshoot Microsoft Defender Advanced Threat Protection
-
-Troubleshoot issues that might arise as you use Microsoft Defender ATP capabilities.
-
-## In this section
-Topic | Description
-:---|:---
-Troubleshoot sensor state | Find solutions for issues related to the Microsoft Defender ATP sensor
-Troubleshoot service issues | Fix issues related to the Microsoft Defender Advanced Threat service
-Troubleshoot attack surface reduction | Fix issues related to network protection and attack surface reduction rules
-Troubleshoot next generation protection | If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
index c45bc362d2..858ebde2ec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
@@ -25,7 +25,7 @@ ms.topic: troubleshooting
-You might need to troubleshoot issues while pulling alerts in your SIEM tools.
+You might need to troubleshoot issues while pulling detections in your SIEM tools.
This page provides detailed steps to troubleshoot issues you might encounter.
@@ -76,11 +76,11 @@ If you encounter an error when trying to enable the SIEM connector application,
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
-- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
-- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index f6488ecbd0..8eebb66298 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -1,48 +1,48 @@
----
-title: Exposure score
-description: Your exposure level reflects how vulnerable your organization is to cybersecurity threats. Apply the Threat & Vulnerability Management security recommendations to keep your exposure level low.
-keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 06/30/2019
----
-# Exposure score
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
-
-The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
-
-
-
-## How it works
-
-Several factors affect your organization exposure score:
-- Weakness discovered on the device
-- Likelihood of a device getting breached
-- Value of the device to the organization
-- Relevant alert discovered on the device
-
-Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Exposure score
+description: Your exposure level reflects how vulnerable your organization is to cybersecurity threats. Apply the Threat & Vulnerability Management security recommendations to keep your exposure level low.
+keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 06/30/2019
+---
+# Exposure score
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
+
+The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
+
+
+
+## How it works
+
+Several factors affect your organization exposure score:
+- Weakness discovered on the device
+- Likelihood of a device getting breached
+- Value of the device to the organization
+- Relevant alert discovered on the device
+
+Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 6e208209cb..674d4b0309 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -1,66 +1,66 @@
----
-title: Remediation
-description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
-keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Remediation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!NOTE]
->To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
-
-After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
-
-You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
-
-## Navigate through your remediation options
-You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
-1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
-2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
-
->[!NOTE]
->If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
-
-3. Select a remediation due date.
-4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
-
-If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
-
-## How it works
-
-When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
-
-It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
-
-You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted.
-
-The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
-
-However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab.
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-
-
+---
+title: Remediation
+description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Remediation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>[!NOTE]
+>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
+
+After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+
+You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
+
+## Navigate through your remediation options
+You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
+1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
+2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
+
+3. Select a remediation due date.
+4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
+
+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+## How it works
+
+When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
+
+It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
+
+You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted.
+
+The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
+
+However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index a866f2ef4f..cb1913abcb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -1,66 +1,92 @@
----
-title: Security recommendation
-description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
-keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Security recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
-
-Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and SCCM. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
-
-## The basis of the security recommendation
-Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
-
-- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the correponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
-
-- Breach likelihood - Your organization's security posture and resilience against threats
-
-- Business value - Your organization's assets, critical processes, and intellectual properties
-
-
-## Navigate through your security recommendations
-You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need as you require it.
-
-There are security recommendations for application, operating system, network, accounts, and security controls.
-
-In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
-
-The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
-
-You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
-
-From that page, you can do any of the following depending on what you need to do:
-
-- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time.
-
-- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
-
-- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
-
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Security recommendation
+description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
+keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Security recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
+
+Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
+
+## The basis of the security recommendation
+Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
+
+- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+
+- Breach likelihood - Your organization's security posture and resilience against threats
+
+- Business value - Your organization's assets, critical processes, and intellectual properties
+
+
+## Navigate through your security recommendations
+
+You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it.
+
+There are security recommendations for application, operating system, network, accounts, and security controls.
+
+In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
+
+The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
+
+You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
+
+From that page, you can do any of the following depending on what you need to do:
+
+- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time.
+
+- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+
+- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
+
+## Report inaccuracy
+
+You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information in the machine page.
+
+1. Select the **Security recommendation** tab.
+
+2. Click **:** beside the security recommendation that you want to report about, then select **Report inaccuracy**.
+
+
A flyout pane opens.
+
+
+3. From the flyout pane, select the inaccuracy category from the drop-down menu.
+
+
+4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
+
+5. Include your machine name for investigation context.
+
+>[!NOTE]
+> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
+
+6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+
+
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 6954b3f5d6..a7ff6812ce 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -1,44 +1,68 @@
----
-title: Software inventory
-description: Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the software inventory page. You can see the name of the product, vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected.
-keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Software inventory
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
-
-## Navigate through your software inventory
-1. Select **Software inventory** from the Threat & Vulnerability management navigation menu.
-2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your organization's exposure score.
-3. In the flyout panel, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
-
-## How it works
-In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
-
-Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Software inventory
+description: Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the software inventory page. You can see the name of the product, vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected.
+keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Software inventory
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
+
+## Navigate through your software inventory
+1. Select **Software inventory** from the Threat & Vulnerability management navigation menu.
+2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your organization's exposure score.
+3. In the flyout panel, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
+
+## How it works
+In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
+
+Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
+
+## Report inaccuracy
+
+You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page.
+
+1. Select the **Software inventory** tab.
+
+2. Click **:** beside the software that you want to report about, and then select **Report inaccuracy**.
+
+
A flyout pane opens.
+
+
+3. From the flyout pane, select the inaccuracy category from the **Software inventory inaccuracy reason** drop-down menu.
+
+
+4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
+
+5. Include your machine name for investigation context.
+
+>[!NOTE]
+> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
+
+6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 108aef13b2..ab8bccc02c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -1,78 +1,113 @@
----
-title: Weaknesses
-description: The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, breach, and threat insights.
-keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Weaknesses
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
-
-The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
-
-## Navigate through your organization's weaknesses page
-You can see the list of vulnerabilities in three ways:
-
-*Vulnerabilities in global search*
-1. Click the global search drop-down menu.
-2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then click the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
-
-3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
-
->[!NOTE]
->To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
-
-*Weaknesses page in the menu*
-1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
-2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
-
-*Top vulnerable software widget in the dashboard*
-1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
-
-2. Click the software that you want to investigate and it takes you to the software page. You will the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
-3. Select the **Discovered vulnerabilities** tab.
-4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
-
-## How it works
-When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
-
-If the **Exposed Machines** column shows 0, that means you are not infected.
-
-If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
-
-You can also see the related alert and threat insights in the **Threat** column.
-
-The breach insights icons are highlighted if there are active alerts associated with the vulnerability found in your organization.
-
-
-The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is connected to specific campaign for which, Threat Analytics report links are provided that you can read.
-
-
- >[!NOTE]
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
-
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Weaknesses
+description: The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, breach, and threat insights.
+keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Weaknesses
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
+
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
+
+## Navigate through your organization's weaknesses page
+You can see the list of vulnerabilities in four ways:
+
+*Vulnerabilities in global search*
+1. Click the global search drop-down menu.
+2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then click the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
+
+3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
+
+>[!NOTE]
+>To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
+
+*Weaknesses page in the menu*
+1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
+2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+*Top vulnerable software widget in the dashboard*
+1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
+
+2. Click the software that you want to investigate and it takes you to the software page. You will the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
+3. Select the **Discovered vulnerabilities** tab.
+4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+*Discovered vulnerabilities in the machine page*
+1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens.
+
+2. In the **Machines list** page, select the machine that you want to investigate.
+
+
A flyout pane opens with machine details and response action options.
+
+3. In the flyout pane, select **Open machine page**. A page opens with details and response options for the machine you want to investigate.
+
+4. Select **Discovered vulnerabilities**.
+5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+## How it works
+When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
+
+If the **Exposed Machines** column shows 0, that means you are not infected.
+
+If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
+
+You can also see the related alert and threat insights in the **Threat** column.
+
+The breach insights icons are highlighted if there are active alerts associated with the vulnerability found in your organization.
+
+
+The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is connected to specific campaign for which, Threat Analytics report links are provided that you can read.
+
+
+ >[!NOTE]
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
+
+## Report inaccuracy
+
+You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability information in the machine page.
+
+1. Select the **Discovered vulnerabilities** tab.
+
+2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**.
+
+
A flyout pane opens.
+
+
+3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu.
+
+
+4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
+
+5. Include your machine name for investigation context.
+
+>[!NOTE]
+> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
+
+6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
index ca069f5c81..8d6c69ea8d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
@@ -51,7 +51,7 @@ Content-Type | String | application/json. **Required**.
## Request body
-In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change.
+In the request body, supply the values for the relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change.
Property | Type | Description
:---|:---|:---
@@ -60,6 +60,7 @@ assignedTo | String | Owner of the alert
classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
+[!include[Improve request performance](improve-request-performance.md)]
## Response
If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found.
@@ -71,8 +72,6 @@ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in
Here is an example of the request.
-[!include[Improve request performance](improve-request-performance.md)]
-
```
PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md b/windows/security/threat-protection/microsoft-defender-atp/use-apis.md
deleted file mode 100644
index 12a8e4cc4e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/use-apis.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Microsoft Defender ATP APIs
-ms.reviewer:
-description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
-keywords: apis, api, wdatp, open api, windows defender atp api, public api, alerts, machine, user, domain, ip, file
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-search.appverid: met150
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender ATP APIs
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-## In this section
-Topic | Description
-:---|:---
-[Microsoft Defender ATP API overview](apis-intro.md) | Learn how to access Microsoft Defender ATP APIs.
-[Supported Microsoft Defender ATP APIs](exposed-apis-list.md) | Learn more about how you can run API calls to individual supported entities, and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts.md), [domain related alerts](get-domain-related-alerts.md), or even actions such as [isolate machine](isolate-machine.md).
-How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md
index 9452c634c4..86e1ee7a44 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md
@@ -26,7 +26,7 @@ ms.date: 04/24/2018
> [!TIP]
> This topic has been deprecated. See [Indicators](ti-indicator.md) for the updated content.
>
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md
index 5b80236d1c..f8b5c0061c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index f78005ca01..1e1f628b6b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink)
## Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
@@ -34,31 +34,31 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
3. Enter the role name, description, and permissions you'd like to assign to the role.
- - **Role name**
- - **Description**
- - **Permissions**
- - **View data** - Users can view information in the portal.
- - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
-
- >[!NOTE]
- >This setting is only available in the Microsoft Defender ATP administrator (default) role.
+ - **Role name**
+ - **Description**
+ - **Permissions**
+ - **View data** - Users can view information in the portal.
+ - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
+ - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
+ - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
- - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+ > [!NOTE]
+ > This setting is only available in the Microsoft Defender ATP administrator (default) role.
- - **Live response capabilities** - Users can take basic or advanced live response commands.
- - Basic commands allow users to:
- - Start a live response session
- - Run read only live response commands on a remote machine
- - Advanced commands allow users to:
- - Run basic actions
- - Download a file from the remote machine
- - View a script from the files library
- - Run a script on the remote machine from the files library take read and write commands.
-
- For more information on the available commands, see [Investigate machines using Live response](live-response.md).
-
+ - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+
+ - **Live response capabilities** - Users can take basic or advanced live response commands.
+ - Basic commands allow users to:
+ - Start a live response session
+ - Run read only live response commands on a remote machine
+ - Advanced commands allow users to:
+ - Run basic actions
+ - Download a file from the remote machine
+ - View a script from the files library
+ - Run a script on the remote machine from the files library take read and write commands.
+
+ For more information on the available commands, see [Investigate machines using Live response](live-response.md).
+
4. Click **Next** to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 994b79b7b6..f8f068cd50 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -28,6 +28,16 @@ The following features are generally available (GA) in the latest release of Mic
For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
+
+## September 2019
+- [Live response](live-response.md)
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time.
+
+- [Evaluation lab](evaluation-lab.md)
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
+ focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
+
+- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
You can now onboard Windows Server 2008 R2 SP1.
+
+
## June 2019
- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
@@ -50,7 +60,7 @@ For more information preview features, see [Preview features](https://docs.micro
## April 2019
- [Microsoft Threat Experts Targeted Attack Notification capability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification)
Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much information as can be quickly delivered thus bringing attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion.
-- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use-apis)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
+- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
@@ -79,8 +89,8 @@ For more information preview features, see [Preview features](https://docs.micro
Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- New in Windows 10 version 1809, there are two new attack surface reduction rules:
- - Block Adobe Reader from creating child processes
- - Block Office communication application from creating child processes.
+ - Block Adobe Reader from creating child processes
+ - Block Office communication application from creating child processes.
- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
@@ -95,8 +105,8 @@ Query data using Advanced hunting in Microsoft Defender ATP.
- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
New attack surface reduction rules:
- - Use advanced protection against ransomware
- - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
+ - Use advanced protection against ransomware
+ - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block executable content from email client and webmail
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index 00ba76594e..a9b824cade 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -1,8 +1,6 @@
-ms.date: 04/19/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dolmont
---
+manager: dansimp
+ms.author: dansimp
title: Override Process Mitigation Options to help enforce app-related security policies (Windows 10)
description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
keywords: Process Mitigation Options, Mitigation Options, Group Policy Mitigation Options
@@ -10,7 +8,6 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: security
ms.sitesec: library
-
author: dulcemontemayor
ms.localizationpriority: medium
---
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 3168a333af..25342b7cce 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -1,6 +1,6 @@
---
title: Mitigate threats by using Windows 10 security features (Windows 10)
-description: This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats.
+description: This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -10,7 +10,7 @@ author: dulcemontemayor
ms.date: 10/13/2017
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
---
# Mitigate threats by using Windows 10 security features
@@ -106,7 +106,7 @@ Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improv
For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
-For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
+For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
### Data Execution Prevention
@@ -450,10 +450,10 @@ Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineer
## Related topics
- [Security and Assurance in Windows Server 2016](https://technet.microsoft.com/windows-server-docs/security/security-and-assurance)
-- [Microsoft Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp)
+- [Microsoft Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/WindowsForBusiness/windows-atp)
- [Microsoft Defender Advanced Threat Protection (ATP) - documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
- [Exchange Online Advanced Threat Protection Service Description](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx)
- [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection)
-- [Microsoft Malware Protection Center](https://www.microsoft.com/en-us/security/portal/mmpc/default.aspx)
+- [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/mmpc/default.aspx)
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index a0f5a549a6..1f3bb33e56 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -4,14 +4,13 @@ description: This article details an end-to-end solution that helps you protect
ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
keywords: security, BYOD, malware, device health attestation, mobile
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, devices
author: dulcemontemayor
-
ms.date: 10/13/2017
ms.localizationpriority: medium
---
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index c2c3f86318..8ce51363fd 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -5,7 +5,7 @@ keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
-ms.author: dolmont
+ms.author: dansimp
author: dulcemontemayor
manager: dansimp
audience: ITPro
@@ -49,7 +49,7 @@ The Security Compliance Toolkit consists of:
- Local Group Policy Object (LGPO) tool
-You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/).
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
## What is the Policy Analyzer tool?
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index 4fcca719b6..ef5a46869a 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -102,7 +102,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
| 569 | The resource manager in Authorization Manager attempted to create a client context. |
-| 570 | A client attempted to access an object.
**Note: ** An event will be generated for every attempted operation on the object. |
+| 570 | A client attempted to access an object.
**Note:** An event will be generated for every attempted operation on the object. |
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index a485a13590..af394cc02a 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
Describes the best practices, location, values, policy management, and security considerations for the **Bypass traverse checking** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index b4f0324679..3aa61ca9b4 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -76,7 +76,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-By default, the domain members submit a password change every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
+By default, the domain members submit a password change every 30 days. If you increase this interval significantly so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 00c2b3a1a2..2e2b5f172a 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -74,7 +74,7 @@ The longer a password exists, the higher the likelihood that it will be compromi
### Considerations
-Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. See [Microsoft Password Guidance](https://www.microsoft.com/en-us/research/publication/password-guidance/) for further information.
+Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. See [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/) for further information.
Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organisations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 8a376e6b4f..d3d0816760 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -35,14 +35,13 @@ The following table lists and explains the allowed encryption types.
| Encryption type | Description and version support |
| - | - |
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES| by default.
+| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2.|
| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
-
-
+
### Possible values
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 9bcc029641..4b653cf263 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
-### Policy dependencies
+### Policy dependencies
The settings for this security policy are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) setting value.
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 44a4ae63d3..51ff05189a 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -4,7 +4,7 @@ description: Learn about an approach to collect events from devices in your orga
ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F
ms.reviewer:
manager: dansimp
-ms.author: dolmont
+ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -413,7 +413,7 @@ Here are the minimum steps for WEF to operate:
## Appendix E – Annotated baseline subscription event query
-``` syntax
+```xml
](../images/ua-cg-15.png){kind=link}