Merge remote-tracking branch 'refs/remotes/origin/master' into live

windows/deploy/upgrade-analytics-get-started.md

@@ -117,7 +117,7 @@ To ensure that user computers are receiving the most up to date data from Micros
 
 To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
 
-> The following guidance applies to version 11.30.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
 
 The Upgrade Analytics deployment script does the following:
 

windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md

@@ -51,6 +51,10 @@ You can use System Center Configuration Manager’s existing functionality to cr
 
     a. Choose a predefined device collection to deploy the package to.
 
+> [!NOTE]
+> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading.
+
+
 ### Configure sample collection settings
 For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
 

windows/keep-secure/implement-microsoft-passport-in-your-organization.md

@@ -20,9 +20,9 @@ localizationpriority: high
 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
 
 >[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. 
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, versions 1507, 1511, and 1607. 
 >
->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
+>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. Learn more in the blog post [Changes to Convenience PIN/Windows Hello Behavior in Windows 10, version 1607](https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/).
 >
 >Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
  

windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -364,7 +364,7 @@ The following table details the hardware requirements for both virtualization-ba
 <td align="left"><p>Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Trusted Platform Module (TPM) 2.0</p></td>
+<td align="left"><p>Trusted Platform Module (TPM) </p></td>
 <td align="left"><p>Required to support health attestation and necessary for additional key protections for virtualization-based security.</p></td>
 </tr>
 </tbody>
@@ -455,7 +455,7 @@ The device health attestation solution involves different components that are TP
 
 ### <a href="" id="trusted-platform-module-"></a>Trusted Platform Module
 
-*It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
+This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
 
 In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.
 

windows/keep-secure/windows-defender-block-at-first-sight.md

@@ -30,6 +30,9 @@ It is enabled by default when certain pre-requisite settings are also enabled. I
 
 When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
 
+> [!NOTE]
+> The Block at first sight feature only use the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
+
 If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file. 
 
 In many cases this process can reduce the response time to new malware from hours to seconds.