diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn
index 61cb120716..ca2b15930d 100644
--- a/.acrolinx-config.edn
+++ b/.acrolinx-config.edn
@@ -1,6 +1,21 @@
{:allowed-branchname-matches ["master"]
:allowed-filename-matches ["windows/"]
+ :targets
+ {
+ :counts {
+ ;;:spelling 10
+ ;;:grammar 3
+ ;;:total 15 ;; absolute flag count but i don't know the difference between this and issues
+ ;;:issues 15 ;; coming from the platform, will need to be tested.
+ }
+ :scores {
+ ;;:terminology 100
+ :qualityscore 65 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place
+ ;;:spelling 40
+ }
+ }
+
:guidance-profile "d2b6c2c8-00ee-47f1-8d10-b280cc3434c1" ;; Profile ID for "M365-specific"
:acrolinx-check-settings
@@ -12,7 +27,7 @@
"TERMINOLOGY_VALID"
"VOICE_GUIDANCE"
]
- "termSetNames" ["M365"]
+ "termSetNames" ["M365" "Products" "Microsoft"]
}
:template-header
@@ -20,7 +35,15 @@
"
## Acrolinx Scorecards
-**A minimum Acrolinx score of 20 is required.**
+**The minimum Acrolinx topic score of 65 is required for all MARVEL content merged to the default branch.**
+
+If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions:
+
+- Work with you to resolve the issues requiring the exception.
+- Escalate the exception request to the Acrolinx Review Team for review.
+- Approve the exception and work with the GitHub Admin Team to merge the PR to the default branch.
+
+For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=master).
Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
@@ -36,6 +59,6 @@ Click the scorecard links for each article to review the Acrolinx feedback on gr
"
**More info about Acrolinx**
-We have set the minimum score to 20. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact MARVEL PubOps.
+Use the Acrolinx extension, or sidebar, in Visual Studio Code to check spelling, grammar, style, tone, clarity, and key terminology when you're creating or updating content. For more information, see [Use the Visual Studio Code extension to run Acrolinx locally](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-vscode?branch=master).
"
}
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index c77fa4d405..7fbbafce4f 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -8,7 +8,7 @@
{
"source_path": "devices/hololens/hololens-whats-new.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-upgrade-enterprise.md",
@@ -28,7 +28,7 @@
{
"source_path": "devices/hololens/hololens-setup.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens1-setup",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-use-apps.md",
@@ -38,17 +38,17 @@
{
"source_path": "devices/hololens/hololens-get-apps.md",
"redirect_url": "https://docs.microsoft.com/hololens/holographic-store-apps",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-spaces-on-hololens.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-spaces",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-clicker.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-clicker-restart-recover.md",
@@ -108,7 +108,7 @@
{
"source_path": "windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-containers-help-protect-windows",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md",
@@ -173,12 +173,12 @@
{
"source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md",
"redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-add",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md",
"redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md",
@@ -857,7 +857,12 @@
},
{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection",
"redirect_document_id": true
},
{
@@ -1205,11 +1210,6 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction",
"redirect_document_id": true
},
- {
- "source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
- "redirect_document_id": false
- },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access",
@@ -1430,11 +1430,6 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
"redirect_document_id": false
},
- {
- "source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection",
- "redirect_document_id": true
- },
{
"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection",
@@ -1785,6 +1780,21 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation",
"redirect_document_id": true
},
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection",
+ "redirect_document_id": true
+ },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score",
@@ -1795,11 +1805,26 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
"redirect_document_id": true
},
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/configuration-score.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices",
+ "redirect_document_id": true
+ },
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/partner-applications.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/partner-applications",
@@ -1824,6 +1849,11 @@
"source_path": "windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports",
"redirect_document_id": true
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-atp/powerbi-reports.md",
+ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi",
+ "redirect_document_id": true
},
{
"source_path": "windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md",
@@ -1970,16 +2000,6 @@
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test",
"redirect_document_id": true
},
- {
- "source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection",
- "redirect_document_id": true
- },
- {
- "source_path": "windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md",
- "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard",
- "redirect_document_id": true
- },
{
"source_path": "windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection",
@@ -2511,9 +2531,9 @@
"redirect_document_id": true
},
{
- "source_path": "windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md",
+ "source_path": "windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md",
"redirect_url": "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-defender-application-control.md",
@@ -6213,27 +6233,27 @@
{
"source_path": "devices/surface/surface-diagnostic-toolkit.md",
"redirect_url": "https://docs.microsoft.com/surface/index",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/surface/manage-surface-dock-firmware-updates.md",
"redirect_url": "https://docs.microsoft.com/surface/indexdevices/surface/update",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
"redirect_url": "https://docs.microsoft.com/surface-hub/finishing-your-surface-hub-meeting",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-microsoft-layout-app.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-microsoft-dynamics-365-layout-app",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-microsoft-dynamics-365-layout-app.md",
"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/layout/",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-microsoft-remote-assist-app.md",
diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md
index e2453e5990..e0085148dd 100644
--- a/browsers/edge/about-microsoft-edge.md
+++ b/browsers/edge/about-microsoft-edge.md
@@ -11,7 +11,6 @@ ms.prod: edge
ms.mktglfcycl: general
ms.topic: reference
ms.sitesec: library
-title: Microsoft Edge for IT Pros
ms.localizationpriority: medium
ms.date: 10/02/2018
---
diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml
index f55040beb3..8fb16843d8 100644
--- a/browsers/edge/group-policies/index.yml
+++ b/browsers/edge/group-policies/index.yml
@@ -1,229 +1,80 @@
-### YamlMime:YamlDocument
+### YamlMime:Landing
-documentType: LandingData
-
-title: Microsoft Edge Legacy group policies
+title: Microsoft Edge Legacy group policies # < 60 chars
+summary: Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. # < 160 chars
metadata:
-
- title: Microsoft Edge Legacy group policies
-
- description: Learn how to configure group policies in Microsoft Edge Legacy on Windows 10.
-
- text: Some of the features in Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. (To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).)
-
+ title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile
-
ms.localizationpriority: medium
-
+ ms.prod: edge
author: shortpatti
-
ms.author: pashort
-
- ms.date: 10/02/2018
-
- ms.topic: article
-
+ ms.topic: landing-page
ms.devlang: na
-
-sections:
-
-- title:
-
-- items:
-
- - type: markdown
-
- text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
-
-- items:
-
- - type: list
-
- style: cards
-
- className: cardsE
-
- columns: 3
-
- items:
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/address-bar-settings-gp
-
- html:
Learn how you can configure Microsoft Edge to show search suggestions in the address bar.
Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.
View all available group policies for Microsoft Edge on Windows 10.
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_policy.svg
-
- title: All group policies
+ ms.date: 08/28/2020 #Required; mm/dd/yyyy format.
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: What's new
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: Documentation for Microsoft Edge version 77 or later
+ url: https://docs.microsoft.com/DeployEdge/
+ - text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021
+ url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
+
+ # Card (optional)
+ - title: Group policies configure guidance part 1
+ linkLists:
+ - linkListType: reference
+ links:
+ - text: All group policies
+ url: /microsoft-edge/deploy/available-policies
+ - text: Address bar
+ url: /microsoft-edge/deploy/group-policies/address-bar-settings-gp
+ - text: Adobe Flash
+ url: /microsoft-edge/deploy/group-policies/adobe-settings-gp
+ - text: Books Library
+ url: /microsoft-edge/deploy/group-policies/books-library-management-gp
+ - text: Browser experience
+ url: /microsoft-edge/deploy/group-policies/browser-settings-management-gp
+ - text: Developer tools
+ url: /microsoft-edge/deploy/group-policies/developer-settings-gp
+ - text: Extensions
+ url: /microsoft-edge/deploy/group-policies/extensions-management-gp
+ - text: Favorites
+ url: /microsoft-edge/deploy/group-policies/favorites-management-gp
+ - text: Home button
+ url: /microsoft-edge/deploy/group-policies/home-button-gp
+
+ # Card (optional)
+ - title: Group policies configure guidance part 2
+ linkLists:
+ - linkListType: reference
+ links:
+ - text: Interoperability and enterprise mode
+ url: /microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp
+ - text: New Tab page
+ url: /microsoft-edge/deploy/group-policies/new-tab-page-settings-gp
+ - text: Kiosk mode deployment in Microsoft Edge
+ url: /microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy
+ - text: Prelaunch Microsoft Edge and preload tabs
+ url: /microsoft-edge/deploy/group-policies/prelaunch-preload-gp
+ - text: Search engine customization
+ url: /microsoft-edge/deploy/group-policies/search-engine-customization-gp
+ - text: Security and privacy
+ url: /microsoft-edge/deploy/group-policies/security-privacy-management-gp
+ - text: Start page
+ url: /microsoft-edge/deploy/group-policies/start-pages-gp
+ - text: Sync browser
+ url: /microsoft-edge/deploy/group-policies/sync-browser-settings-gp
+ - text: Telemetry and data collection
+ url: /microsoft-edge/deploy/group-policies/telemetry-management-gp
+
diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml
index 5661ce3fba..0533a4dcb2 100644
--- a/browsers/edge/index.yml
+++ b/browsers/edge/index.yml
@@ -1,161 +1,93 @@
-### YamlMime:YamlDocument
+### YamlMime:Landing
-documentType: LandingData
-
-title: Microsoft Edge Legacy Group Policy configuration options
+title: Microsoft Edge Group Legacy Policy configuration options # < 60 chars
+summary: Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. # < 160 chars
metadata:
-
- title: Microsoft Edge Group Legacy Policy configuration options
-
- description:
-
- text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar.
-
+ title: Microsoft Edge Group Legacy Policy configuration options # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. # Required; article description that is displayed in search results. < 160 chars.
+ ms.prod: microsoft-edge
keywords: Microsoft Edge Legacy, Windows 10
-
ms.localizationpriority: medium
-
- author: shortpatti
-
- ms.author: pashort
-
- ms.date: 08/09/2018
-
- ms.topic: article
-
- ms.devlang: na
-
-sections:
-
-- title:
-
-- items:
-
- - type: markdown
-
- text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions.
-
-- items:
-
- - type: list
-
- style: cards
-
- className: cardsE
-
- columns: 3
-
- items:
-
- - href: https://docs.microsoft.com/microsoft-edge/deploy/change-history-for-microsoft-edge
-
- html:
Learn more about the latest group policies and features added to Microsoft Edge.
-
-
-
-
-
-
+ ms.topic: landing-page # Required
+ ms.collection: collection # Optional; Remove if no collection is used.
+ author: shortpatti #Required; your GitHub user alias, with correct capitalization.
+ ms.author: pashort #Required; microsoft alias of author; optional team alias.
+ ms.date: 07/07/2020 #Required; mm/dd/yyyy format.
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: About Microsoft Edge
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: Documentation for Microsoft Edge version 77 or later
+ url: /DeployEdge
+ - text: Microsoft 365 apps say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge Legacy
+ url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
+ - text: Latest group policies and features added to Microsoft Edge
+ url: /microsoft-edge/deploy/change-history-for-microsoft-edge
+ - linkListType: overview
+ links:
+ - text: System requirements and supported languages
+ url: /microsoft-edge/deploy/about-microsoft-edge
+ - text: Compare Windows 10 editions
+ url: https://www.microsoft.com/en-us/WindowsForBusiness/Compare
+ - text: Security & protection
+ url: /microsoft-edge/deploy/group-policies/security-privacy-management-gp
+ - text: Interoperability & enterprise guidance
+ url: /microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp
+ - text: Group policies & configuration options
+ url: /microsoft-edge/deploy/group-policies/
+
+ # Card (optional)
+ - title: Microsoft Edge resources
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Minimum system requirements
+ url: /microsoft-edge/deploy/about-microsoft-edge#minimum-system-requirements
+ - text: Supported languages
+ url: /microsoft-edge/deploy/about-microsoft-edge#supported-languages
+ - text: Document change history
+ url: /microsoft-edge/deploy/change-history-for-microsoft-edge
+ - text: Microsoft Edge Dev blog
+ url: https://blogs.windows.com/msedgedev
+ - text: Microsoft Edge Dev on Twitter
+ url: /microsoft-edge/deploy/about-microsoft-edge#supported-languages
+ - text: Microsoft Edge changelog
+ url: /microsoft-edge/deploy/change-history-for-microsoft-edge
+ - text: Measuring the impact of Microsoft Edge
+ url: https://blogs.windows.com/msedgedev
+
+ # Card (optional)
+ - title: IE11 resources
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Deploy Internet Explorer 11 (IE11) - IT Pros
+ url: https://go.microsoft.com/fwlink/p/?LinkId=760644
+ - text: Internet Explorer Administration Kit 11 (IEAK 11)
+ url: /internet-explorer/ie11-ieak
+ - linkListType: download
+ links:
+ - text: Download Internet Explorer 11
+ url: https://go.microsoft.com/fwlink/p/?linkid=290956
+
+ # Card (optional)
+ - title: Additional resources
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Group Policy and the Group Policy Management Console (GPMC)
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617921
+ - text: Group Policy and the Local Group Policy Editor
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617922
+ - text: Group Policy and the Advanced Group Policy Management (AGPM)
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617923
+ - text: Group Policy and Windows PowerShell
+ url: https://go.microsoft.com/fwlink/p/?LinkId=617924
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index 8249262926..d906bfc6ce 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -15,6 +15,8 @@ ms.date: 01/17/2020
---
# Deploy Microsoft Edge Legacy kiosk mode
+> [!IMPORTANT]
+> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](https://docs.microsoft.com/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
> Professional, Enterprise, and Education
diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml
index 2b47ccaaf7..797d881911 100644
--- a/browsers/edge/microsoft-edge.yml
+++ b/browsers/edge/microsoft-edge.yml
@@ -1,60 +1,144 @@
-### YamlMime:YamlDocument
+### YamlMime:Landing
+
+title: Microsoft Edge Legacy # < 60 chars
+summary: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # < 160 chars
-documentType: LandingData
-title: Microsoft Edge
metadata:
- title: Microsoft Edge
- description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization.
+ title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge, issues, fixes, announcements, Windows Server, advisories
+ ms.prod: edge
ms.localizationpriority: medium
author: lizap
ms.author: elizapo
manager: dougkim
- ms.topic: article
+ ms.topic: landing-page
ms.devlang: na
+ ms.date: 08/19/2020 #Required; mm/dd/yyyy format.
-sections:
-- items:
- - type: markdown
- text: "
- Find the tools and resources you need to help deploy and use Microsoft Edge in your organization.
- "
-- title: What's new
-- items:
- - type: markdown
- text: "
- Find out the latest and greatest news on Microsoft Edge.
-
**The latest in Microsoft Edge** See what's new for users and developers in the next update to Microsoft Edge - now available with the Windows 10 April 2018 update! Find out more
**Evaluate the impact** Review the latest Forrester Total Economic Impact (TEI) report to learn about the impact Microsoft Edge can have in your organization. Download the reports
**Microsoft Edge for iOS and Android** Microsoft Edge brings familiar features across your PC and phone, which allows browsing to go with you, no matter what device you use. Learn more
**Application Guard** Microsoft Edge with Windows Defender Application Guard is the most secure browser on Windows 10 Enterprise. Learn more
-
- "
-- title: Compatibility
-- items:
- - type: markdown
- text: "
- Even if you still have legacy apps in your organization, you can default to the secure, modern experience of Microsoft Edge and provide a consistent level of compatibility with existing legacy applications.
-
**Web Application Compatibility Lab Kit** The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge. Find out more
-
- "
-- title: Security
-- items:
- - type: markdown
- text: "
- Microsoft Edge uses Windows Hello and Windows Defender SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.
-
**NSS Labs web browser security reports** See the results of two global tests measuring how effective browsers are at protecting against socially engineered malware and phishing attacks. Download the reports
**Microsoft Edge sandbox** See how Microsoft Edge has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege. Find out more
**Windows Defender SmartScreen** Manage your organization's computer settings with Group Policy and MDM settings to display a warning page to employees or block a site entirely. Read the docs
-
- "
-- title: Deployment and end user readiness
-- items:
- - type: markdown
- text: "
- Find resources and learn about features to help you deploy Microsoft Edge in your organization to get your users up and running quickly.
-
**Sign up for the Windows IT Pro Insider** Get the latest tools, tips, and expert guidance on deployment, management, security, and more. Learn more
**Microsoft Edge Dev blog** Keep up with the latest browser trends, security tips, and news for IT professionals. Read the blog
**Microsoft Edge Dev on Twitter** Get the latest news and updates from the Microsoft Web Platform team. Visit Twitter
-
- "
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: What's new
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: Documentation for Microsoft Edge version 77 or later
+ url: https://docs.microsoft.com/DeployEdge/
+ - text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021
+ url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
+ - text: The latest in Microsoft Edge
+ url: https://blogs.windows.com/msedgedev/2018/04/30/edgehtml-17-april-2018-update/#C7jCBdbPSG6bCXHr.97
+ - text: Microsoft Edge for iOS and Android
+ url: https://blogs.windows.com/windowsexperience/2017/11/30/microsoft-edge-now-available-for-ios-and-android
+ - text: Application Guard
+ url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
+ - linkListType: download
+ links:
+ - text: Evaluate the impact
+ url: /microsoft-edge/deploy/microsoft-edge-forrester
+
+ # Card (optional)
+ - title: Test your site on Microsoft Edge
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Test your site on Microsoft Edge for free on BrowserStack
+ url: https://developer.microsoft.com/microsoft-edge/tools/remote/
+ - text: Use sonarwhal to improve your website
+ url: https://sonarwhal.com/
+
+ # Card (optional)
+ - title: Improve compatibility with Enterprise Mode
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Use Enterprise mode to improve compatibility
+ url: /microsoft-edge/deploy/emie-to-improve-compatibility
+ - text: Turn on Enterprise Mode and use a site list
+ url: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list
+ - text: Enterprise Site List Portal
+ url: https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal
+
+ # Card (optional)
+ - title: Web Application Compatibility Lab Kit
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Overview
+ url: /microsoft-edge/deploy/emie-to-improve-compatibility
+
+ # Card (optional)
+ - title: Security
+ linkLists:
+ - linkListType: download
+ links:
+ - text: NSS Labs web browser security reports
+ url: https://www.microsoft.com/download/details.aspx?id=54773
+ - linkListType: overview
+ links:
+ - text: Microsoft Edge sandbox
+ url: https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/
+ - text: Windows Defender SmartScreen
+ url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview
+
+ # Card (optional)
+ - title: Deployment
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Microsoft Edge deployment guide
+ url: /microsoft-edge/deploy/
+ - text: Microsoft Edge FAQ
+ url: /microsoft-edge/deploy/microsoft-edge-faq
+ - text: System requirements and language support
+ url: /microsoft-edge/deploy/hardware-and-software-requirements
+ - text: Group Policy and MDM settings in Microsoft Edge
+ url: /microsoft-edge/deploy/available-policies
+ - text: Microsoft Edge training and demonstrations
+ url: /microsoft-edge/deploy/edge-technical-demos
+ - linkListType: download
+ links:
+ - text: Web Application Compatibility Lab Kit
+ url: https://www.microsoft.com/itpro/microsoft-edge/web-app-compat-toolkit
+
+ # Card (optional)
+ - title: End user readiness
+ linkLists:
+ - linkListType: video
+ links:
+ - text: Microsoft Edge tips and tricks (video, 20:26)
+ url: https://myignite.microsoft.com/sessions/56630?source=sessions
+ - linkListType: download
+ links:
+ - text: Quick Start - Microsoft Edge (PDF, .98 MB)
+ url: https://go.microsoft.com/fwlink/?linkid=825648
+ - text: Find it faster with Microsoft Edge (PDF, 605 KB)
+ url: https://go.microsoft.com/fwlink/?linkid=825661
+ - text: Use Microsoft Edge to collaborate (PDF, 468 KB)
+ url: https://go.microsoft.com/fwlink/?linkid=825653
+ - text: Group Policy and MDM settings in Microsoft Edge
+ url: /microsoft-edge/deploy/available-policies
+ - text: Microsoft Edge training and demonstrations
+ url: /microsoft-edge/deploy/edge-technical-demos
+ - linkListType: how-to-guide
+ links:
+ - text: Import bookmarks
+ url: https://microsoftedgetips.microsoft.com/2/39
+ - text: Password management
+ url: https://microsoftedgetips.microsoft.com/2/18
+
+ # Card (optional)
+ - title: Stay informed
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Sign up for the Windows IT Pro Insider
+ url: https://aka.ms/windows-it-pro-insider
+ - text: Microsoft Edge Dev blog
+ url: https://blogs.windows.com/msedgedev
+ - text: Microsoft Edge Dev on Twitter
+ url: https://twitter.com/MSEdgeDev
diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md
index 3c50d4d50e..5479f689f3 100644
--- a/browsers/edge/troubleshooting-microsoft-edge.md
+++ b/browsers/edge/troubleshooting-microsoft-edge.md
@@ -9,7 +9,6 @@ author: dansimp
ms.author: dansimp
ms.prod: edge
ms.sitesec: library
-title: Deploy Microsoft Edge kiosk mode
ms.localizationpriority: medium
ms.date: 10/15/2018
---
diff --git a/browsers/edge/use-powershell-to manage-group-policy.md b/browsers/edge/use-powershell-to manage-group-policy.md
index 58a6b06b27..1b6d2e9338 100644
--- a/browsers/edge/use-powershell-to manage-group-policy.md
+++ b/browsers/edge/use-powershell-to manage-group-policy.md
@@ -5,7 +5,6 @@ ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
ms.localizationpriority: medium
ms.date: 10/02/2018
ms.reviewer:
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 50208546bb..576a1de28f 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -7,6 +7,7 @@
"**/*.yml"
],
"exclude": [
+ "**/includes/**",
"**/obj/**"
]
}
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index 8fe62f2f79..f09832c403 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -1,49 +1,53 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: How to use Group Policy to install ActiveX controls.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Group Policy and ActiveX installation
-
-ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer:
-
-- Get the ActiveX control if it's not already installed.
-
-- Download the installation package.
-
-- Perform trust verification on the object.
-
-- Prompt for installation permission, using the IE Information Bar.
-
-During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control.
-
-**Important** ActiveX control installation requires administrator-level permissions.
-
-## Group Policy for the ActiveX Installer Service
-
-You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include:
-
-- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control.
-
-- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
-
-For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: How to use Group Policy to install ActiveX controls.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Group Policy and ActiveX installation
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+ActiveX controls are installed and invoked using the HTML object tag with the CODEBASE attribute. This attribute, through a URL, makes Internet Explorer:
+
+- Get the ActiveX control if it's not already installed.
+
+- Download the installation package.
+
+- Perform trust verification on the object.
+
+- Prompt for installation permission, using the IE Information Bar.
+
+During installation, the rendering page registers and invokes the control, so that after installation, any standard user can invoke the control.
+
+**Important** ActiveX control installation requires administrator-level permissions.
+
+## Group Policy for the ActiveX Installer Service
+
+You use the ActiveX Installer Service (AXIS) and Group Policy to manage your ActiveX control deployment. The AXIS-related settings can be changed using either the Group Policy Management Console (GPMC) or the Local Group Policy Editor, and include:
+
+- **Approved Installation Sites for ActiveX Controls.** A list of approved installation sites used by AXIS to determine whether it can install a particular ActiveX control.
+
+- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
+
+For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
index 664bc596e1..455bae28bd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
@@ -1,68 +1,72 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how to add employees to the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-# Add employees to the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
-
-The available roles are:
-
-- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
-
-- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
-
-- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
-
-**To add an employee to the Enterprise Mode Site List Portal**
-1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
-
- The **Employee management** page appears.
-
-2. Click **Add a new employee**.
-
- The **Add a new employee** page appears.
-
-3. Fill out the fields for each employee, including:
-
- - **Email.** Add the employee's email address.
-
- - **Name.** This box autofills based on the email address.
-
- - **Role.** Pick a single role for the employee, based on the list above.
-
- - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
-
- - **Comments.** Add optional comments about the employee.
-
- - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
-
-4. Click **Save**.
-
-**To export all employees to an Excel spreadsheet**
-1. On the **Employee management** page, click **Export to Excel**.
-
-2. Save the EnterpriseModeUsersList.xlsx file.
-
- The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to add employees to the Enterprise Mode Site List Portal.
+author: dansimp
+ms.prod: ie11
+title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+# Add employees to the Enterprise Mode Site List Portal
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
+
+The available roles are:
+
+- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
+
+- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
+
+**To add an employee to the Enterprise Mode Site List Portal**
+1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
+
+ The **Employee management** page appears.
+
+2. Click **Add a new employee**.
+
+ The **Add a new employee** page appears.
+
+3. Fill out the fields for each employee, including:
+
+ - **Email.** Add the employee's email address.
+
+ - **Name.** This box autofills based on the email address.
+
+ - **Role.** Pick a single role for the employee, based on the list above.
+
+ - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
+
+ - **Comments.** Add optional comments about the employee.
+
+ - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
+
+4. Click **Save**.
+
+**To export all employees to an Excel spreadsheet**
+1. On the **Employee management** page, click **Export to Excel**.
+
+2. Save the EnterpriseModeUsersList.xlsx file.
+
+ The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index 8ead60630e..57c8991c7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -1,112 +1,116 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-
-You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
-
-If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
-
-## Create an Enterprise Mode site list (TXT) file
-You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.
**Important** This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
-
-You must separate each site using commas or carriage returns. For example:
-
-```
-microsoft.com, bing.com, bing.com/images
-```
-**-OR-**
-
-```
-microsoft.com
-bing.com
-bing.com/images
-```
-
-## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
-You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-Each XML file must include:
-
-- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important** After this check, IE11 won’t look for an updated list again until you restart the browser.
-
-- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important** If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
-
-- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-### Enterprise Mode v.1 XML schema example
-The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
-
-```
-
-
- www.cpandl.com
- www.woodgrovebank.com
- adatum.com
- contoso.com
- relecloud.com
- /about
-
- fabrikam.com
- /products
-
-
-
- contoso.com
- /travel
-
- fabrikam.com
- /products
-
-
-
-```
-
-To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
-
-## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
-After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
-
- **To add multiple sites**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
-
-2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
-Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-3. Click **OK** to close the **Bulk add sites to the list** menu.
-
-4. On the **File** menu, click **Save to XML**, and save your file.
-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+
+You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
+
+If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
+
+## Create an Enterprise Mode site list (TXT) file
+You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.
**Important** This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
+
+You must separate each site using commas or carriage returns. For example:
+
+```
+microsoft.com, bing.com, bing.com/images
+```
+**-OR-**
+
+```
+microsoft.com
+bing.com
+bing.com/images
+```
+
+## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
+You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+Each XML file must include:
+
+- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important** After this check, IE11 won’t look for an updated list again until you restart the browser.
+
+- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important** If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
+
+- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+### Enterprise Mode v.1 XML schema example
+The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+```
+
+
+ www.cpandl.com
+ www.woodgrovebank.com
+ adatum.com
+ contoso.com
+ relecloud.com
+ /about
+
+ fabrikam.com
+ /products
+
+
+
+ contoso.com
+ /travel
+
+ fabrikam.com
+ /products
+
+
+
+```
+
+To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
+
+## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
+After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
+
+ **To add multiple sites**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
+
+2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+4. On the **File** menu, click **Save to XML**, and save your file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 78f0903d6f..37ef55dea6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -16,7 +16,10 @@ ms.date: 10/24/2017
---
-# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
**Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 8b8435daff..8c5e4b4426 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -1,66 +1,70 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
-
-**Applies to:**
-
-- Windows 8.1
-- Windows 7
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important** You can only add specific URLs, not Internet or Intranet Zones.
-
-
Note If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2).
-
- **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
-
-1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
-
-2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
-
-3. Type any comments about the website into the **Notes about URL** box.
-Administrators can only see comments while they’re in this tool.
-
-4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
-
-The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
-
-Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
-
-5. Click **Save** to validate your website and to add it to the site list for your enterprise.
- If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
-
-6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
- You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Next steps
-After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
-
-## Related topics
-- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important** You can only add specific URLs, not Internet or Intranet Zones.
+
+
Note If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2).
+
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
+
+2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
+Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation.
+
+3. Type any comments about the website into the **Notes about URL** box.
+Administrators can only see comments while they’re in this tool.
+
+4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
+
+The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
+
+Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+5. Click **Save** to validate your website and to add it to the site list for your enterprise.
+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
+
+6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 0977b87b94..63f0d7bd6f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -16,7 +16,10 @@ ms.date: 07/27/2017
---
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
**Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index f08c08fcdb..23bb9ee14a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -1,82 +1,86 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-description: Administrative templates and Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Administrative templates and Internet Explorer 11
-
-Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
-
-- What registry locations correspond to each setting.
-
-- What value options or restrictions are associated with each setting.
-
-- The default value for many settings.
-
-- Text explanations about each setting and the supported version of Internet Explorer.
-
-For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
-
-## What are Administrative Templates?
-Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
-
-- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
-
-- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
-
-## How do I store Administrative Templates?
-As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
-
Important Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
-
-## Administrative Templates-related Group Policy settings
-When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
-
Note You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer.
-
-IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
-
-- Computer Configuration\\Administrative Templates\\Windows Components\\
-
-- User Configuration\\Administrative Templates\\Windows Components\\
-
-
-|Catalog |Description |
-| ------------------------------------------------ | --------------------------------------------|
-|IE |Turns standard IE configuration on and off. |
-|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
-|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
-|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
-|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
-|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
-|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
-|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
-|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
-|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
-|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
-|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
-|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
-|RSS Feeds |Sets up and manages RSS feeds in the browser. |
-
-
-## Editing Group Policy settings
-Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
-
-- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
-
-- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
-
-## Related topics
-- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
-- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
-- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: Administrative templates and Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Administrative templates and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
+
+- What registry locations correspond to each setting.
+
+- What value options or restrictions are associated with each setting.
+
+- The default value for many settings.
+
+- Text explanations about each setting and the supported version of Internet Explorer.
+
+For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
+
+## What are Administrative Templates?
+Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
+
+- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
+
+- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
+
+## How do I store Administrative Templates?
+As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
+
Important Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
+
+## Administrative Templates-related Group Policy settings
+When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
+
Note You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer.
+
+IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
+
+- Computer Configuration\\Administrative Templates\\Windows Components\\
+
+- User Configuration\\Administrative Templates\\Windows Components\\
+
+
+|Catalog |Description |
+| ------------------------------------------------ | --------------------------------------------|
+|IE |Turns standard IE configuration on and off. |
+|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
+|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
+|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
+|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
+|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
+|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
+|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
+|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
+|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
+|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
+|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
+|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
+|RSS Feeds |Sets up and manages RSS feeds in the browser. |
+
+
+## Editing Group Policy settings
+Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
+
+- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
+
+- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
+
+## Related topics
+- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
+- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
+- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
index 977e17394e..07687792a3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
@@ -1,62 +1,66 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
-author: dansimp
-ms.prod: ie11
-title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-# Approve a change request using the Enterprise Mode Site List Portal
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
-
-## Approve or reject a change request
-The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
-
-**To approve or reject a change request**
-1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
-
- The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
-
-2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
-
-3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
-
- An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
-
-
-## Send a reminder to the Approver(s) group
-If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
-
-- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
-
- An email is sent to the selected Approver(s).
-
-
-## View rejected change requests
-The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
-
-**To view the rejected change request**
-
-- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
-
- All rejected change requests appear, with role assignment determining which ones are visible.
-
-
-## Next steps
-After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
+author: dansimp
+ms.prod: ie11
+title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+# Approve a change request using the Enterprise Mode Site List Portal
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
+
+## Approve or reject a change request
+The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
+
+**To approve or reject a change request**
+1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
+
+ The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
+
+2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
+
+3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
+
+ An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
+
+
+## Send a reminder to the Approver(s) group
+If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
+
+- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
+
+ An email is sent to the selected Approver(s).
+
+
+## View rejected change requests
+The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
+
+**To view the rejected change request**
+
+- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
+
+ All rejected change requests appear, with role assignment determining which ones are visible.
+
+
+## Next steps
+After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index d45374e404..7dbfc19776 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -1,62 +1,66 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration and auto proxy problems with Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration and auto proxy problems with Internet Explorer 11
-You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
-
-## Branding changes aren't distributed using automatic configuration
-If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
-
-## Proxy server setup issues
-If you experience issues while setting up your proxy server, you can try these troubleshooting steps:
-
-- Check to make sure the proxy server address is right.
-
-- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser.
-
-- Check that the browser is pointing to the right automatic configuration script location.
-
- **To check your proxy server address**
-
-1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
-
-2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
-
-3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note** If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
-
- **To check that you've turned on the correct settings**
-
-4. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-5. Click **Settings** or **LAN Settings**.
-
-6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note** If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
-
- **To check that you're pointing to the correct automatic configuration script location**
-
-7. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
-
-8. Click **Settings** or **LAN Settings**.
-
-9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto configuration and auto proxy problems with Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto configuration and auto proxy problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+You might experience some problems using automatic configuration and auto-proxy with Internet Explorer 11.
+
+## Branding changes aren't distributed using automatic configuration
+If you've turned on the **Disable external branding of Internet Explorer** Group Policy Object, you won't be able to use automatic configuration to distribute your branding changes to your users' computers. When this object is turned on, it prevents the branding of IE by a non-Microsoft company or entity, such as an Internet service provider or Internet content provider. For more information about automatic configuration, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) and [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). For more information about Group Policy settings, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
+
+## Proxy server setup issues
+If you experience issues while setting up your proxy server, you can try these troubleshooting steps:
+
+- Check to make sure the proxy server address is right.
+
+- Check that both **Automatically detect settings** and **Automatic configuration** are turned on in the browser.
+
+- Check that the browser is pointing to the right automatic configuration script location.
+
+ **To check your proxy server address**
+
+1. On the **Tools** menu, click **Internet Options**, and then **Connections**.
+
+2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
+
+3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
**Note** If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
+
+ **To check that you've turned on the correct settings**
+
+4. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
+
+5. Click **Settings** or **LAN Settings**.
+
+6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.
**Note** If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again.
+
+ **To check that you're pointing to the correct automatic configuration script location**
+
+7. On the **Tools** menu, click **Internet Options**, and then click **Connections**.
+
+8. Click **Settings** or **LAN Settings**.
+
+9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index 1b9a0ba9c8..82857ac50e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -1,74 +1,78 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto configuration settings for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto configuration settings for Internet Explorer 11
-Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).
**Important** You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-## Adding the automatic configuration registry key
-For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important** Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
-
- **To add the registry key**
-
-1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
-
-2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**.
-
-3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter.
-
-4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**.
-
-5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter.
-
-6. Right-click **iexplore.exe**, and then click **Modify**.
-
-7. In the **Value data** box, enter **1**, and then click **OK**.
-
-8. Exit the registry editor.
-
-## Updating your automatic configuration settings
-After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
-
Important Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
-
- **To update your settings**
-
-1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings.
-
-3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
-
- - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts.
-
- - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
-
- - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
**Important** Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
-
-## Locking your automatic configuration settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto configuration settings for Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto configuration settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Automatic configuration lets you apply custom branding and graphics to your internal Internet Explorer installations, running on Windows 8.1 or Windows Server 2012 R2. For more information about adding custom branding and graphics to your IE package, see [Customize the toolbar button and Favorites List icons using IEAK 11](../ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md).
**Important** You'll only see and be able to use the **IE Customization Wizard 11 - Automatic Configuration** page if you're creating an internal IE installation package. For more information about the **IE Customization Wizard 11 - Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
+
+## Adding the automatic configuration registry key
+For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry key to your IE installation package.
**Important** Follow these directions carefully because serious problems can occur if you update your registry incorrectly. For added protection, back up your registry so you can restore it if a problem occurs.
+
+ **To add the registry key**
+
+1. On the **Start** screen, type **regedit**, and then click **Regedit.exe**.
+
+2. Right-click the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl` subkey, point to **New**, and then click **Key**.
+
+3. Enter the new key name, `FEATURE\AUTOCONFIG\BRANDING`, and then press Enter.
+
+4. Right-click `FEATURE\AUTOCONFIG\BRANDING`, point to **New**, and then click **DWORD (32-bit) Value**.
+
+5. Enter the new DWORD value name, **iexplore.exe**, and then press Enter.
+
+6. Right-click **iexplore.exe**, and then click **Modify**.
+
+7. In the **Value data** box, enter **1**, and then click **OK**.
+
+8. Exit the registry editor.
+
+## Updating your automatic configuration settings
+After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
+
Important Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
+
+ **To update your settings**
+
+1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+2. Choose the **Automatically detect configuration settings** check box to allow automatic detection of browser settings.
+
+3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
+
+ - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that automatic configuration only happens when the computer restarts.
+
+ - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
+
+ - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
**Important** Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
+
+If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
+
+## Locking your automatic configuration settings
+You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
+
+- **Using Microsoft Active Directory.** Choose **Disable changing Automatic Configuration settings** from the Administrative Templates setting.
+
+- **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index 6d58aac85b..3e2c898988 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -1,55 +1,59 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto detect settings Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto detect settings Internet Explorer 11
-After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
-
-Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
-
-- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
-
-- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.
**Note** DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
-
-## Updating your automatic detection settings
-To use automatic detection, you have to set up your DHCP and DNS servers.
**Note** Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
-
- **To turn on automatic detection for DHCP servers**
-
-1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-
-3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
-
- **To turn on automatic detection for DNS servers**
-
-4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
-
-6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
**-OR-**
Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
**Note** For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).
-
-7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.
**Note** Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto detect settings Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto detect settings Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+After you specify the specific settings related to automatic detection on your Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, you can set up your users' browser settings from a central location.
+
+Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
+
+- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
+
+- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses.
**Note** DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
+
+## Updating your automatic detection settings
+To use automatic detection, you have to set up your DHCP and DNS servers.
**Note** Your DHCP servers must support the `DHCPINFORM` message, to obtain the DHCP options.
+
+ **To turn on automatic detection for DHCP servers**
+
+1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
+
+3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
+
+ **To turn on automatic detection for DNS servers**
+
+4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
+
+6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
**-OR-**
Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
**Note** For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).
+
+7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.
**Note** Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index bd7bd5c030..f285933bcb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -1,50 +1,54 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: networking
-description: Auto proxy configuration settings for Internet Explorer 11
-author: dansimp
-ms.prod: ie11
-ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Auto proxy configuration settings for Internet Explorer 11
-Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2.
-
-## Updating your auto-proxy settings
-You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
-
- **To update your settings**
-
-1. Create a script file with your proxy information, copying it to a server location.
-
-2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
-
-3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
-
- - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts.
-
- - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md).
-
- - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.
**Important** IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
-
-## Locking your auto-proxy settings
-You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
-
-- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
-
-- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: networking
+description: Auto proxy configuration settings for Internet Explorer 11
+author: dansimp
+ms.prod: ie11
+ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Auto proxy configuration settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Configure and maintain your proxy settings, like pointing your users' browsers to your automatic proxy script, through the Internet Explorer Customization Wizard 11 running on either Windows 8.1 or Windows Server 2012 R2.
+
+## Updating your auto-proxy settings
+You can use your Internet settings (.ins) files to set up your standard proxy settings. You can also specify script files (.js, .jvs, or .pac) to configure and maintain your advanced proxy settings. IE uses your auto-proxy script files to dynamically determine whether to connect to a host or use a proxy server. If a proxy server connection fails, Internet Explorer 11 automatically attempts to connect to another proxy server that you have specified.
+
+ **To update your settings**
+
+1. Create a script file with your proxy information, copying it to a server location.
+
+2. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page.
+
+3. Choose the **Enable Automatic Configuration** box to let you change the rest of the configuration options, including:
+
+ - **Automatically configure every box:** Type how often IE should check for configuration updates. Typing **0** (zero), or not putting in any number, means that updates only happen when the computer restarts.
+
+ - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md).
+
+ - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.
**Important** IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`.
+
+## Locking your auto-proxy settings
+You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment.
+
+- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
+
+- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
index 12bd5502e3..17f6488e0a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
@@ -1,43 +1,47 @@
----
-title: Blocked out-of-date ActiveX controls
-description: This page is periodically updated with new ActiveX controls blocked by this feature.
-author: dansimp
-ms.author: dansimp
-audience: itpro
manager: dansimp
-ms.date: 05/10/2018
-ms.topic: article
-ms.prod: ie11
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: security
-ms.assetid: ''
-ms.reviewer:
-ms.sitesec: library
----
-
-# Blocked out-of-date ActiveX controls
-
-ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_.
-
-We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list.
-
-You will receive a notification if a webpage tries to load one of the following of ActiveX control versions:
-
-**Java**
-
-| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 |
-|----------------------------------------------------------------------------------------------|
-| J2SE 5.0, everything below (but not including) update 99 |
-| Java SE 6, everything below (but not including) update 181 |
-| Java SE 7, everything below (but not including) update 171 |
-| Java SE 8, everything below (but not including) update 161 |
-| Java SE 9, everything below (but not including) update 4 |
-
-**Silverlight**
-
-
-| Everything below (but not including) Silverlight 5.1.50907.0 |
-|--------------------------------------------------------------|
-| |
-
-For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
+---
+title: Blocked out-of-date ActiveX controls
+description: This page is periodically updated with new ActiveX controls blocked by this feature.
+author: dansimp
+ms.author: dansimp
+audience: itpro
+manager: dansimp
+ms.date: 05/10/2018
+ms.topic: article
+ms.prod: ie11
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: security
+ms.assetid: ''
+ms.reviewer:
+ms.sitesec: library
+---
+
+# Blocked out-of-date ActiveX controls
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_.
+
+We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list.
+
+You will receive a notification if a webpage tries to load one of the following of ActiveX control versions:
+
+**Java**
+
+| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 |
+|----------------------------------------------------------------------------------------------|
+| J2SE 5.0, everything below (but not including) update 99 |
+| Java SE 6, everything below (but not including) update 181 |
+| Java SE 7, everything below (but not including) update 171 |
+| Java SE 8, everything below (but not including) update 161 |
+| Java SE 9, everything below (but not including) update 4 |
+
+**Silverlight**
+
+
+| Everything below (but not including) Silverlight 5.1.50907.0 |
+|--------------------------------------------------------------|
+| |
+
+For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index fe61c67cf5..9aca832f3e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -1,38 +1,42 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.pagetype: performance
-description: Browser cache changes and roaming profiles
-author: dansimp
-ms.prod: ie11
-ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 10/16/2017
----
-
-
-# Browser cache changes and roaming profiles
-We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
-
-You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note** Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
-
-To get the best results while using roaming profiles, we strongly recommend the following:
-
-- Create a separate roaming repository for each domain account that uses roaming.
-
-- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss.
-
-- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings.
-
-- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object.
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.pagetype: performance
+description: Browser cache changes and roaming profiles
+author: dansimp
+ms.prod: ie11
+ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 10/16/2017
+---
+
+
+# Browser cache changes and roaming profiles
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
+
+You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note** Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
+
+To get the best results while using roaming profiles, we strongly recommend the following:
+
+- Create a separate roaming repository for each domain account that uses roaming.
+
+- Restrict roaming user profiles so they work on only one computer at a time. Using a single roaming profile on multiple computers isn’t supported (via console or Remote Desktop) and can cause unpredictable results, including cookie loss.
+
+- Allow all computers that let users sign-on with a roaming profile have identical IE cookie policies and settings.
+
+- Make sure to delete the user’s local roaming profile at sign off for any computer using user profile roaming. You can do this by turning on the **Delete cached copies of roaming profiles** Group Policy Object.
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index d3cae2a67a..f358312bbc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -1,56 +1,60 @@
----
-ms.localizationpriority: medium
-title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
-description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
-ms.mktglfcycl: deploy
-ms.prod: ie11
-ms.sitesec: library
-author: dansimp
-ms.date: 07/27/2017
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
----
-
-
-# Change history for Internet Explorer 11
-This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
-
-## April 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
-
-## March 2017
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
-
-## November 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
-
-## August 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
-|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
-
-## July 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
-
-## June 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
-
-
-## May 2016
-|New or changed topic | Description |
-|----------------------|-------------|
-|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
-
+---
+ms.localizationpriority: medium
+title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
+description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
+ms.mktglfcycl: deploy
+ms.prod: ie11
+ms.sitesec: library
+author: dansimp
+ms.date: 07/27/2017
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+---
+
+
+# Change history for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
+
+## April 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
+
+## March 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to add the Allow VBScript to run in Internet Explorer and the Hide the button (next to the New Tab button) that opens Microsoft Edge settings. |
+
+## November 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
+
+## August 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Updated to remove the IP range restrictions and to add code examples for both IPv4 and IPv6 addresses. |
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)|Added the Understanding the returned reason codes section to the topic. |
+
+## July 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated to include the comprehensive list of Group Policies that were added with Internet Explorer 11. |
+
+## June 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[New group policy settings for Internet Explorer 11](new-group-policy-settings-for-ie11.md) |Updated with 2 new policies, Send all sites not included in the Enterprise Mode Site List to Microsoft Edge and Show message when opening sites in Microsoft Edge using Enterprise Mode. |
+
+
+## May 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) | Added info about using <emie> and <docMode> together. |
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index 0b2d9ff141..9b4b3e6f1f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -1,51 +1,55 @@
----
-title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
-description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
-ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: ie11
-ms.mktglfcycl: deploy
-ms.pagetype: appcompat
-ms.sitesec: library
-author: dansimp
-ms.author: dansimp
-ms.date: 08/14/2017
-ms.localizationpriority: medium
----
-
-
-# Check for a new Enterprise Mode site list xml file
-
-**Applies to:**
-
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
-
-You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
-
-The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
-
-**How Internet Explorer 11 looks for an updated site list**
-
-1. Internet Explorer starts up and looks for an updated site list in the following places:
-
- 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
-
- 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
-
- 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
-
-2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
-
-
-
-
-
-
-
-
-
+---
+title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
+description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
+ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: ie11
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+ms.sitesec: library
+author: dansimp
+ms.author: dansimp
+ms.date: 08/14/2017
+ms.localizationpriority: medium
+---
+
+
+# Check for a new Enterprise Mode site list xml file
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
+
+**How Internet Explorer 11 looks for an updated site list**
+
+1. Internet Explorer starts up and looks for an updated site list in the following places:
+
+ 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
+
+ 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
+
+ 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
+
+2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
index c35d115df7..810264c501 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
@@ -1,31 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to deploy Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to deploy Internet Explorer 11 (IE11)
-In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
-
-## In this section
-
-| Topic | Description |
-|------------------------------------------------------------- | ------------------------------------------------------ |
-|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). |
-|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). |
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Choose how to deploy Internet Explorer 11 (IE11)
+author: dansimp
+ms.prod: ie11
+ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Choose how to deploy Internet Explorer 11 (IE11)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools.
+
+## In this section
+
+| Topic | Description |
+|------------------------------------------------------------- | ------------------------------------------------------ |
+|[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). |
+|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). |
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index 563f38160c..72a5766494 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -1,37 +1,41 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Choose how to install Internet Explorer 11 (IE11)
-author: dansimp
-ms.prod: ie11
-ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Choose how to install Internet Explorer 11 (IE11)
-Before you install Internet Explorer 11, you should:
-
-- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version.
-
-- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries.
-
-- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site.
-
-- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
-
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
-
- - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Choose how to install Internet Explorer 11 (IE11)
+author: dansimp
+ms.prod: ie11
+ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Choose how to install Internet Explorer 11 (IE11)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Before you install Internet Explorer 11, you should:
+
+- **Migrate Group Policy Objects.** Decide if your Group Policy Objects should migrate to the new version.
+
+- **Check vendor support for updated functionality.** Check whether third-party vendors have new versions or updates to necessary add-ons, apps, or code libraries.
+
+- **Choose the right version of Internet Explorer.** IE11 comes pre-installed on Windows 8.1 and Windows Server 2012 R2 or you can download it for Windows 7 SP1 or Windows Server 2008 R2 with Service Pack 1 (SP1) from the [Internet Explorer Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214251) site.
+
+- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
+
+ - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
+
+ - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 12049fdcb9..0ffe059374 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Collect data using Enterprise Site Discovery
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
index d01fccf729..db62af6aab 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Use the Settings page to finish setting up the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index 278408ab38..ad4441c9e3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Create a change request using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 6c260e93aa..395703b43d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create packages for multiple operating systems or languages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You'll create multiple versions of your custom browser package if:
- You support more than 1 version of Windows®.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index fc43585ae7..342b139714 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize Internet Explorer 11 installation packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can customize Internet Explorer 11 to support various browser behaviors, multiple operating system versions and languages, and Setup information (.inf) files.
|Topic |Description |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index b2c4c0f80a..843d917596 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
index b9089ee16a..0f0c56de35 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
---
# Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
## What is Automatic Version Synchronization?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index dc31c3230e..c3940fbefd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Deploy Internet Explorer 11 using software distribution tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include:
- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index 567b8fbeb8..0177418299 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index f0f44c2897..e8d1ec3d7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Deprecated document modes and Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 8ad5f3e6ad..29574ab860 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index cb419efe7f..e21f3e41ed 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -17,6 +17,9 @@ ms.date: 4/12/2018
# Enable and disable add-ons using administrative templates and group policy
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates.
There are four types of add-ons:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index d0998607dc..7f00307378 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Enhanced Protected Mode problems with Internet Explorer
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Enhanced Protected Mode further restricts Protected Mode to deny potential attackers access to sensitive or personal information. If this feature is turned on, users might start to see errors asking them to turn it off, like **This webpage wants to run "npctrl.dll. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control**. If your users click the **Disable** box, Enhanced Protected Mode is turned off for only the single visit to that specific site. After the user leaves the site, Enhanced Protected Mode is automatically turned back on.
You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
index 71104a8786..e5e3c31095 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Enterprise Mode for Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 09160baadd..6832c2797b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Enterprise Mode schema v.1 guidance
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index a321e5a744..299c6c093f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -18,6 +18,9 @@ ms.date: 12/04/2017
# Enterprise Mode schema v.2 guidance
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index cf235b25aa..ce2f14b162 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index f1d72eb1a1..a5abdb8400 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Fix web compatibility issues using document modes and the Enterprise Mode site list
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. This addition to the site list is a continuation of our commitment to help you upgrade and stay up-to-date on the latest version of Internet Explorer, while still preserving your investments in existing apps.
## What does this mean for me?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
index c3c7ead8ff..54da1d4ba1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Fix validation problems using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index d2fadc609c..93486e7113 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Advanced Group Policy Management (AGPM) is an add-on license that available for the Microsoft Desktop Optimization Pack (MDOP). This license gives you change control and a role assignment-model that helps optimize Group Policy management and reduce the risk of widespread failures.
From AGPM you can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index df5754f0b6..e1e763af4c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A Microsoft Management Console (MMC)-based tool that uses scriptable interfaces to manage Group Policy. The 32-bit and 64-bit versions are included with Windows Server R2 with Service Pack 1 (SP1) and Windows Server 2012 R2.
## Why use the GPMC?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index d80c5af350..7e8c419582 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Group Policy and Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index 4ca3868ed5..dce572d812 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, the Local Group Policy Editor, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1.
Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=294912).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
index 8a5b6d7859..12b360b126 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatibility-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy and compatibility with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in.
|Activity |Location |Setting the policy object |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index 403471f4c7..3eafec01ac 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy management tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets you manage your organization's computer and user settings as part of your Group Policy objects (GPOs), which are added and changed in the Group Policy Management Console (GPMC). GPOs can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. The most effective way to target a specific GPO is to use Windows Management Instrumentation (WMI) filters. Like, creating a WMI filter that applies a GPO only to computers with a specific make and model.
By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
index ae5c5f783e..938e3e036e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group policy preferences and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy preferences are less strict than Group Policy settings, based on:
| |Group Policy preferences |Group Policy settings |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index d94601a9d5..26cf3ae659 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872).
## Group Policy Object-related Log Files
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index 1f0caf9bc3..cd9e8a1740 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Shortcut Extensions, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Group Policy includes the Shortcuts preference extension, which lets you configure shortcuts to:
- **File system objects.** Traditional shortcuts that link to apps, files, folders, drives, shares, or computers. For example, linking a shortcut to an app from the **Start** screen.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index 2de349942d..6f57e982ec 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Group Policy, Windows Powershell, and Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Your domain-joined Group Policy Objects (GPOs) can use any of Group Policy-related “cmdlets” that run within Windows PowerShell.
Each cmdlet is a single-function command-line tool that can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index 9fe7dca247..edcb50cb9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -17,6 +17,9 @@ ms.date: 05/22/2018
---
# Internet Explorer 11 delivery through automatic updates
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index 6b34fcc195..30de0a2c97 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -11,6 +11,9 @@ ms.author: dansimp
# Full-sized flowchart detailing how document modes are chosen in IE11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index 5ab9dd5e58..f585e3210d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Import your Enterprise Mode site list to the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 74f09e116d..c40ba230ff 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -14,6 +14,9 @@ manager: dansimp
# Internet Explorer 11 (IE11) - Deployment Guide for IT Pros
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index e9fcf44f0e..47a4d07569 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install and Deploy Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 7dd92ecc08..027cf25129 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Microsoft Intune
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
## Adding and deploying the IE11 package
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index 5dade69199..c6bd4e15e8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
You can install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images.
You'll need to extract the .cab file for each supported operating system and platform combination and the .msu file for each prerequisite update. Download the IE11 update and prerequisites here:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 2b40174159..e08ca5dffe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination.
**To install IE11**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index 9da3cd91fa..d0d9d17be1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using your network
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) over your network by putting your custom IE11 installation package in a shared network folder and letting your employees run the Setup program on their own computers. You can create the network folder structure manually, or you can run Internet Explorer Administration Kit 11 (IEAK 11).
**Note** If you support multiple architectures and operating systems, create a subfolder for each combination. If you support multiple languages, create a subfolder for each localized installation file.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
index 5d230773e3..d593de27c6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using third-party tools
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can install Internet Explorer 11 (IE11) using third-party electronic software distribution (ESD) systems and these command-line options:
## Setup Modes
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index 62bfab42b9..662514e102 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790).
**To import from Windows Update to WSUS**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index 3ebe727aeb..3e6ffbfad8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Install problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Most Internet Explorer 11 installations are straightforward and work the way they should. But it's possible that you might have problems.
If you do, you can:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index 16331ab49c..803fc7fb83 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Fix intranet search problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After upgrading to Internet Explorer 11, you might experience search issues while using your intranet site.
## Why is my intranet redirecting me to search results?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 2270749c81..66b29a20c4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Manage Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index c0087953b7..e0dbd2bdab 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Missing Internet Explorer Maintenance settings for Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index fbc40cbf73..faa927931e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Missing the Compatibility View Button
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 31261bbf7e..6c68a1ec01 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# .NET Framework problems with Internet Explorer 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
## Summary
If you’re having problems launching your legacy apps while running Internet Explorer 11, it’s most likely because Internet Explorer no longer starts apps that use managed browser hosting controls, like in .NET Framework 1.1 and 2.0.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 65e099eb37..9b8ab9eb33 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# New group policy settings for Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 5591606f32..a2f12352fd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# Out-of-date ActiveX control blocking
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
@@ -105,7 +108,10 @@ reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVe
```
Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk.
-## Out-of-date ActiveX control blocking on managed devices
+## Out-of-date ActiveX control blocking
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+ on managed devices
Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system.
### Group Policy settings
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 80a59c9305..fbcbcbadb9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -16,6 +16,9 @@ ms.date: 10/16/2017
# Problems after installing Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After you install Internet Explorer 11 in your organization, you might run into the following issues. By following these suggestions, you should be able to fix them.
## Internet Explorer is in an unusable state
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index df8a2b1707..4c973ffad6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index 4995a12e9a..f30c495bb3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove sites from a local compatibility view list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index c9b859509b..93b323b78a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Remove sites from a local Enterprise Mode site list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
index bb22b43b3f..acfe82d2a5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
@@ -17,6 +17,9 @@ ms.date: 04/02/2020
# Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index 28b18117e1..7b80dd178d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Save your site list to XML in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
index 4565b9f0c1..4d5e66ec80 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Schedule approved change requests for production using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 0f35b04d1c..f96a952626 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index b6c1af8258..6edccdda73 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Set the default browser using Group Policy
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can use the Group Policy setting, **Set a default associations configuration file**, to set the default browser for your company devices running Windows 10.
**To set the default browser as Internet Explorer 11**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index fd55a40ebd..94f9336c89 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Set up Enterprise Mode logging and data collection
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index 7b0dd491aa..c022c08569 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Set up the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
index 7dd3e837c0..70d197c391 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Setup problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Installing Internet Explorer creates the following log files, which are stored in the Windows installation folder (typically, the C:\\Windows folder):
- `IE11_main.log`
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index a8953ad3f4..37b7bc16cf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# System requirements and language support for Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index 1f9a047156..14bd40e745 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -17,6 +17,9 @@ ms.date: 05/10/2018
# Tips and tricks to manage Internet Explorer compatibility
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List.
Jump to:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
index 39d999c947..bf8ceeb867 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Troubleshoot Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 1df0d6b95e..7e4561fa2a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Turn off Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 90442b3bbc..178085c2ad 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Fix font rendering problems by turning off natural metrics
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
By default, Internet Explorer 11 uses “natural metrics”. Natural metrics use inter-pixel spacing that creates more accurately rendered and readable text, avoiding many common font rendering problems with Windows Internet Explorer 9 or older sites.
However, you might find that many intranet sites need you to use Windows Graphics Device Interface (GDI) metrics. To avoid potential compatibility issues, you must turn off natural metrics for those sites.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 744df8c766..8c84054dc3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -18,6 +18,9 @@ ms.localizationpriority: medium
# Turn on Enterprise Mode and use a site list
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index 1324c12963..b4db0fb7a4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Turn on local control and logging for Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index 446375289c..750bca0e82 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# List of updated features and tools - Internet Explorer 11 (IE11)
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
index c26e39ddcc..fe55abfdc6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ author: dansimp
# Use the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 3cbc140f4b..cbfcfecf93 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -18,6 +18,9 @@ ms.date: 12/04/2017
# Use the Enterprise Mode Site List Manager
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 14fcd048fc..b7669cf1ca 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# User interface problems with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Some of the features in both Internet Explorer 11 and IEAK 11 have moved around. Here are some of the more common changes.
## Where did features go in the Internet Explorer Customization Wizard 11?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
index 6bff79cc82..677f1c974a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 07/27/2017
# Using IE7 Enterprise Mode or IE8 Enterprise Mode
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index 07e3ce2e2b..7015595563 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer Administration Kit 11 (IEAK 11) helps you set up, deploy, and maintain Internet Explorer 11.
**Note** IEAK 11 works in network environments, with or without Microsoft Active Directory.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index 1f7b62dfa5..afc27104af 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using Setup Information (.inf) files to create install packages
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959).
**To add uninstallation instructions to the .inf files**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
index a3fce1731d..a31c831abd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Verify your changes using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
index 42db6c85c5..1ccd3e4d0c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
index 2be252275c..9aa736bacb 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
index 20ad5ac557..f2db72080d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
@@ -16,6 +16,9 @@ ms.author: dansimp
# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index e5de6fffdd..771f7b3439 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Virtualization and compatibility with Internet Explorer 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE.
**Important**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 1a2c6fc17a..b9fb67f961 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -18,6 +18,9 @@ ms.date: 10/25/2018
# Enterprise Mode and the Enterprise Mode Site List
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
@@ -61,7 +64,10 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
-## Enterprise Mode and the Enterprise Mode Site List XML file
+## Enterprise Mode and the Enterprise Mode Site List
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+ XML file
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 4f1c56a922..1fd67f656b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -19,6 +19,9 @@ ms.date: 05/10/2018
# What is the Internet Explorer 11 Blocker Toolkit?
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
index de71b3a8ff..dd8e3bcce6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
@@ -17,6 +17,9 @@ ms.author: dansimp
# Workflow-based processes for employees using the Enterprise Mode Site List Portal
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows 10
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 8917b1de22..c27e670fd6 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -16,6 +16,9 @@ ms.date: 10/16/2017
# Internet Explorer 11 - FAQ for IT Pros
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
## Frequently Asked Questions
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
index e35b64b8a4..cf59b670d6 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
@@ -16,6 +16,9 @@ ms.date: 05/10/2018
# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
> [!Important]
diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
index 7405392094..929acbed39 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# IEAK 11 - Frequently Asked Questions
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful.
**What is IEAK 11?**
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index b211933353..40a7886b0a 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Accelerators page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Accelerators** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add accelerators to your employee computers. Accelerators are contextual menu options that can quickly get to a web service from any webpage. For example, an accelerator can look up a highlighted word in the dictionary or a selected location on a map.
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 7e89dab65d..b4d0459c78 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Add and approve ActiveX controls using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
There are two main approaches to how you can control the use of ActiveX controls in your company. For more info about ActiveX controls, including how to manage the controls using Group Policy, see [Group Policy and ActiveX installation](../ie11-deploy-guide/activex-installation-using-group-policy.md) in the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
index eae4f678e5..c04501eea7 100644
--- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Add a Root Certificate page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK.
Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index 60be35bc0d..ebff04a24a 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Additional Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Additional Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you pick additional custom, corporate, and Internet settings that relate to your employee’s desktop, operating system, and security. If you don’t change a setting, it’ll be ignored.
The additional settings appear in administration (.adm) files that are stored in your `:\Program Files\Windows IEAK 11\policies` folder. You can also create your own .adm files with options that can be configured using the wizard. Any edits you make to your own .adm file are stored as .ins files, which are used to build the .inf files for your custom install package.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index d3883b39ca..879c328e43 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Automatic Configuration page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Automatic Configuration** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you provide URLs to the files that’ll automatically configure Internet Explorer 11 for a group of employees or devices.
**Note**
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 1a46247c5c..7d4f9344c9 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Set up auto detection for DHCP or DNS servers using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Set up your network to automatically detect and customize Internet Explorer 11 when it’s first started. Automatic detection is supported on both Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), letting your servers detect and set up your employee’s browser settings from a central location, using a configuration URL (.ins file) or a JavaScript proxy configuration file (.js, .jvs, or .pac).
Before you can set up your environment to use automatic detection, you need to turn the feature on.
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index c317a46e0e..b4565ed485 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Automatic Version Synchronization page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 runs the synchronization process every time you run the wizard, downloading the Internet Explorer 11 Setup file to your computer. The Setup file includes the required full and express packages.
**Important**
diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
index 3508c186af..7271837b2e 100644
--- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
@@ -18,6 +18,9 @@ ms.date: 04/24/2018
# Before you start using IEAK 11
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements:
- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
index 5c9c189f24..351b1bbb76 100644
--- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Branding .INS file to create custom branding and setup info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about the custom branding and setup information in your browser package.
|Name |Value | Description |
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index c1f3999a3a..0116384f6d 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Browser User Interface page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Browser User Interface** page of the Internet Explorer Customization Wizard 11 lets you change the toolbar buttons and the title bar text in IE.
**Note** The customizations you make on this page apply only to Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
index b2b123ff69..05fb2324f7 100644
--- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to customize the Internet Explorer toolbar.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index a39adaff3e..3214ea32c0 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Browsing Options page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Browsing Options** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you decide how you want to manage items in the **Favorites, Favorites Bar, and Feeds** section, including the Microsoft-provided default items.
The choices that you make on this page affect only the items shown on the **Favorites, Favorites Bar, and Feeds** page.
diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
index e5bf7ebb40..321f45caf5 100644
--- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the CabSigning .INS file to customize the digital signature info for your apps
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to customize the digital signature info for your apps.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
index cda9702eb4..b6138064be 100644
--- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
@@ -17,6 +17,9 @@ ms.date: 07/27/2017
# Use the Compatibility View page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We’re sorry. We’ve changed the way Compatibility View works in Internet Explorer 11 and have removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. For more info about the changes we’ve made to the Compatibility View functionality, see [Missing the Compatibility View Button](../ie11-deploy-guide/missing-the-compatibility-view-button.md).
Click **Next** to go to the [Programs](programs-ieak11-wizard.md) page or **Back** to go to the [Security and Privacy Settings](security-and-privacy-settings-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
index aaec7b0fa2..e9051c955b 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Connection Manager page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
We're sorry. We've removed all of the functionality included on the Connection Manager page of the Internet Explorer Customization Wizard 11.
Click **Next** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page or **Back** to go to the [Compatibility View](compat-view-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index 66beabdbca..bc00c58bec 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Connection Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Connection Settings** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you import the connection settings from your computer, to preset the connection settings on your employee’s computers.
**Note** Using the options on the **Additional Settings** page of the wizard, you can let your employees change their connection settings. For more information see the [Additional Settings](additional-settings-ieak11-wizard.md) page. You can also customize additional connection settings using the **Automatic Configuration** page in the wizard. For more information see the [Automatic Configuration](auto-config-ieak11-wizard.md) page.
diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
index 779e024e57..0e7777a64e 100644
--- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ConnectionSettings .INS file to review the network connections for install
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about the network connection settings used to install your custom package. This section creates a common configuration on all of your employee’s computers.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
index 91f26adf5b..0befbc922f 100644
--- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create the build computer folder structure using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Create your build environment on the computer that you’ll use to build your custom browser package. Your license agreement determines your folder structure and which version of Internet Explorer Administration Kit 11 (IEAK 11) you’ll use: **Internal** or **External**.
|Name |Version |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
index 3e8043c959..e2a0fb48a9 100644
--- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Tasks and references to consider before creating and deploying custom packages using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Review this list of tasks and references to help you use the Internet Explorer Administration Kit 11 (IEAK 11) to set up, deploy, and manage Internet Explorer 11 in your company.
|Task |References |
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index 6196fabf79..5d88bfa81a 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Create multiple versions of your custom package using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You'll need to create multiple versions of your custom browser package if:
- You support more than 1 version of the Windows operating system.
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index 3cf498605c..ba3904ae39 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use uninstallation .INF files to uninstall custom components
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The Internet Explorer Administration Kit 11 (IEAK 11) uses Setup information (.inf) files to provide installation instructions for your custom browser packages. You can also use this file to uninstall your custom components by removing the files, registry entries, and shortcuts, and adding your custom component to the list of programs that can be uninstalled from **Uninstall or change a program**.
**To uninstall your custom components**
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index 571b73d327..1a981a5a16 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Custom Components page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Custom Components** page of the Internet Explorer Customization Wizard 11 lets you add up to 10 additional components that your employees can install at the same time they install IE. These components can be created by Microsoft or your organization as either compressed cabinet (.cab) or self-extracting executable (.exe) files. If you’re using Microsoft components, make sure you have the latest version and software patches from the [Microsoft Support](https://go.microsoft.com/fwlink/p/?LinkId=258658) site. To include Microsoft Update components, you must bundle the associated files into a custom component.
**Important** You should sign any custom code that’s being downloaded over the Internet. The default settings of Internet Explorer 11 will automatically reject any unsigned code. For more info about digitally signing custom components, see [Security features and IEAK 11](security-and-ieak11.md).
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
index e7469fa864..7a5556235d 100644
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the CustomBranding .INS file to create custom branding and setup info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Provide the URL to your branding cabinet (.cab) file.
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index 3c0af97192..9ed59cf64e 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize Automatic Search for Internet Explorer using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers.
Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employee’s ability to add or remove search providers.
diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
index 06e8d6c3f3..7d0a2f9882 100644
--- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ExtRegInf .INS file to specify installation files and mode
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to specify your Setup information (.inf) files and the installation mode for your custom components.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index 47bf04d6e2..030dc054d2 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Favorites, Favorites Bar, and Feeds** page of the Internet Explorer Administration Kit (IEAK 11) Customization Wizard lets you add:
- **Links.** Used so your employees can quickly connect with your important websites. These links can appear in the **Links** folder or on the **Favorites Bar**.
diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
index 694b8d994d..ac736e20df 100644
--- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the FavoritesEx .INS file for your Favorites icon and URLs
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about where you store your **Favorites** icon file, whether your **Favorites** are available offline, and the URLs for each **Favorites** site.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index b27bc3273a..f72747f486 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.sitesec: library
# Use the Feature Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Feature Selection** page of the Internet Explorer Customization Wizard 11 lets you choose which parts of the setup processes and Internet Explorer 11 to change for your company, including:
- **Setup Customizations.** Lets you add custom components, decide which components to install, provide your download site information, and modify the Setup title bar and graphics.
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index f3224c2055..0aee908cd4 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the File Locations page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **File Locations** page of the Internet Explorer Customization Wizard 11 lets you change the location of your folders, including:
- Where you’ll create and store your custom installation package.
diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
index 38703f9131..616e3b9938 100644
--- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# File types used or created by IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
A list of the file types used or created by tools in IEAK 11:
|File type |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index 507450938d..9d6fe74f8a 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **First Run Wizard and Welcome Page Options** page of the Internet Explorer Customization Wizard 11 lets you decide what your employee’s see the first time they log on to IE, based on their operating system.
- **Windows 8.1 Update and newer.** No longer includes a **Welcome** page, so if you pick the **Use Internet Explorer 11 Welcome Page** or the **Use a custom Welcome page** option, IEAK creates an initial **Home** page that loads before all other **Home** pages, as the first tab. This only applies to the Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
index 0864538448..e3d95badec 100644
--- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Customize the Toolbar button and Favorites List icons using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use these customization guidelines to change the browser toolbar button and the **Favorites List** icons, using your own branding and graphics.
**Important** Check your license agreement to make sure this customization is available.
diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
index 0ba0f580a8..2da43b7f38 100644
--- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Hardware and software requirements for Internet Explorer 11 and the IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Before you can use the Internet Explorer Administration Kit 11 and the Internet Explorer Customization Wizard 11, you must first install Internet Explorer 11. For more info about installing IE11, see the [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md) page.
## Hardware requirements
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
index 7d50512355..6c46e306f3 100644
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the HideCustom .INS file to hide the GUID for each custom component
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about whether to hide the globally unique identifier (GUID) for each of your custom components.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
index 51dc959759..c9d24160a9 100644
--- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Internet Explorer Setup command-line options and return codes
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
You can use command-line options along with a tool like IExpress to package your custom version of Internet Explorer and to perform a batch installation across your organization.
## IE Setup command-line options
diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
index b8c3d25c24..1d8b34786a 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
@@ -18,6 +18,9 @@ ms.date: 05/10/2018
# Internet Explorer Administration Kit (IEAK) information and downloads
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
>Applies to: Windows 10
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md).
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
index f27ec8b5b9..0aa9964807 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use the Internet Explorer Administration Kit 11 (IEAK 11) and the Internet Explorer Customization Wizard 11 to customize your browser install packages for deployment to your employee's devices.
## IE Customization Wizard 11 options
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index cd7c730569..57128dfefe 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# IExpress Wizard command-line options
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
**Applies to:**
- Windows Server 2008 R2 with SP1
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
index 35dc9f9cc5..fe4bb3a985 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# IExpress Wizard for Windows Server 2008 R2 with SP1
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use the IExpress Wizard and its associated command-line options to create self-extracting files that automatically run your custom Internet Explorer Setup (.inf or .exe file) program that’s contained inside.
## IExpress Wizard location
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index 022767b179..b32b5bacab 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Important URLS – Home Page and Support** page of the Internet Explorer Customization Wizard 11 lets you choose one or more **Home** pages and an online support page for your customized version of IE.
**To use the Important URLS – Home Page and Support page**
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 29b8c0ceca..946a42e72a 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -14,6 +14,9 @@ manager: dansimp
# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index 15db2bc20f..6936f198d0 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Internal Install page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Internal Install** page of the Internet Explorer Customization Wizard 11 lets you customize Setup for the default browser and the latest browser updates, based on your company’s guidelines.
**Note** The customizations made on this page only apply to Internet Explorer for the desktop on Windows 7.
diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
index b625916fd1..666c5f8b17 100644
--- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the ISP_Security .INS file to add your root certificate
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about where you store the root certificate you’re adding to your custom package.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index b2f66781b7..a343a30e51 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Language Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Language Selection** page of the Internet Explorer Customization Wizard 11 lets you choose the language for your Internet Explorer Administration Kit 11 (IEAK 11) custom package. You can create custom Internet Explorer 11 packages in any of the languages your operating system version is available in.
**Important** Make sure that the language of your IEAK 11 installation matches the language of your custom IE11 package. If the languages don’t match, IEAK 11 won’t work properly.
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index ea1f1cb9e1..4c14f5ec98 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 10/23/2018
# Determine the licensing version and features to use in IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
index a441fe7be2..f628def610 100644
--- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Media .INS file to specify your install media
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The types of media on which your custom install package is available.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index ce2517bf60..ae7b3c6150 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Package Type Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Package Type Selection** page of the Internet Explorer Customization Wizard 11 lets you pick which type of media you’ll use to distribute your custom installation package. You can pick more than one type, if you need it.
**Important** You can't create a full installation package for deployment to Windows 10 computers. That option only works for computers running Windows 7 or Windows 8.1.
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index 342ac46d58..67d9caac65 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Use the Platform Selection page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package.
**To use the Platform Selection page**
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index 809110fc8b..4720c446af 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Before you install your package over your network using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Employees can install the custom browser package using a network server. However, you must either lower the intranet security level or make the server a trusted site.
**To lower your intranet security**
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index 8b46cc1615..acfbbc74ae 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Use the Programs page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer.
**Important** The customizations you make on this page only apply to Internet Explorer for the desktop.
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index 06213a78ae..56a0823f9a 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use proxy auto-configuration (.pac) files with IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
These are various ways you can use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. We've included some examples here to help guide you, but you'll need to change the proxy names, port numbers, and IP addresses to match your organization's info.
Included examples:
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
index 80e2e5d2c0..9def48f2d3 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Proxy .INS file to specify a proxy server
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about whether to use a proxy server. If yes, this also includes the host names for the proxy server.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index a99dc70ae0..ba113af6cc 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Proxy Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Proxy Settings** page of the Internet Explorer Customization Wizard 11 lets you pick the proxy servers used by your employees to connect for services required by the custom install package.
Using a proxy server lets you limit access to the Internet. You can also use the **Additional Settings** page of the wizard to further restrict your employees from changing the proxy settings.
diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
index c6fb131002..f3b4414183 100644
--- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
@@ -15,6 +15,9 @@ ms.date: 07/27/2017
# Register an uninstall app for custom components using IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Register the uninstall apps for any custom components you’ve included in your Internet Explorer 11 package. Registering these apps lets your employees remove the components later, using **Uninstall or change a program** in the Control Panel.
## Register your uninstallation program
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index 8bf7232c7c..340327e916 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Using the Resultant Set of Policy (RSoP) snap-in to review policy settings
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
After you’ve deployed your custom Internet Explorer package to your employees, you can use the Resultant Set of Policy (RSoP) snap-in to view your created policy settings. The RSoP snap-in is a two-step process. First, you run the RSoP wizard to determine what information should be viewed. Second, you open the specific items in the console window to view the settings. For complete instructions about how to use RSoP, see [Resultant Set of Policy](https://go.microsoft.com/fwlink/p/?LinkId=259479).
**To add the RSoP snap-in**
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index f66425a743..c092a2101b 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Search Providers page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Search Providers** page of the Internet Explorer Customization Wizard 11 lets you add a default search provider (typically, Bing®) and additional providers to your custom version of IE.
**Note** The Internet Explorer Customization Wizard 11 offers improved and extended search settings. However, you can still optionally include support for Search Suggestions and Favicons, as well as Accelerator previews by using an .ins file from a previous version of IEAK.
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
index 71d99f8b9f..336ad87ef1 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Security features and IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Use Internet Explorer in conjunction with your new and existing security measures, to make sure the computers in your company aren’t compromised while on the Internet.
## Enhanced Protection Mode
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index 16ffc69435..c78a131719 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Security and Privacy Settings page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
The **Security and Privacy Settings** page of the Internet Explorer Customization Wizard 11 lets you manage your security zones, privacy settings, and content ratings. These settings help restrict the types of content your employees can access from the Internet, including any content that might be considered offensive or otherwise inappropriate in a corporate setting.
**To use the Security and Privacy Settings page**
diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
index e65b0e2b77..b4fd0c45b2 100644
--- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Use the Security Imports .INS file to import security info
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
Info about how to import security information from your local device to your custom package.
|Name |Value |Description |
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
index 9ae559b4b4..e4fcd7c739 100644
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
@@ -16,6 +16,9 @@ ms.date: 07/27/2017
# Troubleshoot custom package and IEAK 11 problems
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package.
## I am unable to locate some of the wizard pages
diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
index 965fda174e..06a1d3c029 100644
--- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
@@ -1,40 +1,44 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
-author: dansimp
-ms.prod: ie11
-ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the URL .INS file to use an auto-configured proxy server
-Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server.
-
-|Name |Value |Description |
-|-----|------|------------|
-|AutoConfig |
**0.** Don’t automatically configure the browser.
**1.** Automatically configure the browser.
|Determines whether to automatically configure the customized browser on your employee’s device. |
-|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) |
-|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. |
-|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. |
-|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. |
-|Help_Page |`` |The URL to your internal technical support site. |
-|Home_Page |`` |The URL to your default **Home** page. |
-|NoWelcome |
**0.** Display the **Welcome** page.
**1.** Don’t display the **Welcome** page.
|Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. |
-|Quick_Link_1 |`` |The URL to your first Quick Link. |
-|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. |
-|Quick_Link_2 |`` |The URL to your second Quick Link. |
-|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. |
-|Quick_Link_X |`` |The URL to another Quick Link. |
-|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. |
-|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. |
-|Quick_Link_X_Offline |
**0.** Don’t make the Quick Links available offline.
**1.** Make the Quick Links available offline.
|Determines whether to make the Quick Links available for offline browsing. |
-|Search_Page |`` |The URL to the default search page. |
-|UseLocalIns |
**0.** Don’t use a local .ins file.
**1.** Use a local .ins file.
|Determines whether to use a local Internet Settings (.ins) file |
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
+author: dansimp
+ms.prod: ie11
+ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the URL .INS file to use an auto-configured proxy server
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Info about whether to use an auto-configured proxy server. If yes, this also includes the URLs to the pages that appear when your employees first connect to that server.
+
+|Name |Value |Description |
+|-----|------|------------|
+|AutoConfig |
**0.** Don’t automatically configure the browser.
**1.** Automatically configure the browser.
|Determines whether to automatically configure the customized browser on your employee’s device. |
+|AutoConfigJSURL |`` |The URL for the proxy auto-config file (.js or .jvs) |
+|AutoConfigTime |*integer* |Automatically configures the browser on your employee’s device after its run for a specified length of time. |
+|AutoConfigURL |`` |The URL for the proxy auto-config (.pac) file. |
+|FirstHomePage |`` |The page (URL) that appears the first time the custom browser is opened on the employee’s device. |
+|Help_Page |`` |The URL to your internal technical support site. |
+|Home_Page |`` |The URL to your default **Home** page. |
+|NoWelcome |
**0.** Display the **Welcome** page.
**1.** Don’t display the **Welcome** page.
|Determines whether to show the **Welcome** page the first time the browser’s used on an employee’s device. |
+|Quick_Link_1 |`` |The URL to your first Quick Link. |
+|Quick_Link_1_Name |`` |The name of the site associated with Quick_Link_1. |
+|Quick_Link_2 |`` |The URL to your second Quick Link. |
+|Quick_Link_2_Name |`` |The name of the site associated with Quick_Link_2. |
+|Quick_Link_X |`` |The URL to another Quick Link. |
+|Quick_Link_X_Icon |`` |A Quick Links icon (.ico) file. |
+|Quick_Link_X_Name |`` |The name of the site associated with another Quick Link. |
+|Quick_Link_X_Offline |
**0.** Don’t make the Quick Links available offline.
**1.** Make the Quick Links available offline.
|Determines whether to make the Quick Links available for offline browsing. |
+|Search_Page |`` |The URL to the default search page. |
+|UseLocalIns |
**0.** Don’t use a local .ins file.
**1.** Use a local .ins file.
|Determines whether to use a local Internet Settings (.ins) file |
+
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index ed8f2be8f1..364daedbbc 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -1,60 +1,64 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
-author: dansimp
-ms.prod: ie11
-ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the User Experience page in the IEAK 11 Wizard
-The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
-
-**Note** You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.
The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
-
-**To use the User Experience page**
-
-1. Choose how your employee should interact with Setup, including:
-
- - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
-
- - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
-
- - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
-
Both the hands-free and completely silent installation options will:
-
- - Answer prompts so Setup can continue.
-
- - Accept the license agreement.
-
- - Determine that Internet Explorer 11 is installed and not just downloaded.
-
- - Perform your specific installation type.
-
- - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
-
-2. Choose if your employee’s device will restart at the end of Setup.
-
- - **Default**. Prompts your employees to restart after installing IE.
-
- - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
-
- - **Force restart**. Automatically restarts the computer after installing IE.
-
-3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
+author: dansimp
+ms.prod: ie11
+ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the User Experience page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+The **User Experience** page of the Internet Explorer Customization Wizard 11 lets you decide how much you want your employees to interact with the custom package’s Setup process.
+
+**Note** You’ll only see this page if you are running the **Internal** version of the Internet Explorer Customization Wizard 11.
The customizations you make on this page only apply to Internet Explorer for the desktop on Windows 7.
+
+**To use the User Experience page**
+
+1. Choose how your employee should interact with Setup, including:
+
+ - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
+
+ - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
+
+ - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
+
Both the hands-free and completely silent installation options will:
+
+ - Answer prompts so Setup can continue.
+
+ - Accept the license agreement.
+
+ - Determine that Internet Explorer 11 is installed and not just downloaded.
+
+ - Perform your specific installation type.
+
+ - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
+
+2. Choose if your employee’s device will restart at the end of Setup.
+
+ - **Default**. Prompts your employees to restart after installing IE.
+
+ - **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
+
+ - **Force restart**. Automatically restarts the computer after installing IE.
+
+3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
index 3efd12ffa8..c9bb888bed 100644
--- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
+++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
@@ -1,37 +1,41 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Using Internet Settings (.INS) files with IEAK 11
-Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
-
-Here's a list of the available .INS file settings:
-
-|Setting |Description |
-|-----------------------------------------|------------------------------------------------------------------------------|
-|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. |
-|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. |
-|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. |
-|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. |
-|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. |
-|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. |
-|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. |
-|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. |
-|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. |
-|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
-|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
-|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
-|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
+author: dansimp
+ms.prod: ie11
+ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Using Internet Settings (.INS) files with IEAK 11
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+Use the Internet Settings (.ins) files and the Internet Explorer Administration Kit 11 (IEAK 11) to configure your custom browser and its components. You can create multiple versions of your custom package by customizing copies of this file.
+
+Here's a list of the available .INS file settings:
+
+|Setting |Description |
+|-----------------------------------------|------------------------------------------------------------------------------|
+|[Branding](branding-ins-file-setting.md) |Customize the branding and setup information in your browser package. |
+|[BrowserToolbars](browsertoolbars-ins-file-setting.md) |Customize the appearance of the IE toolbar. |
+|[CabSigning](cabsigning-ins-file-setting.md) |Digital signature information for your programs. |
+|[ConnectionSettings](connectionsettings-ins-file-setting.md) |Info about the networking connection settings used to install your custom package. |
+|[CustomBranding](custombranding-ins-file-setting.md) |URL location to your branding cabinet (.cab) file. |
+|[ExtRegInf](extreginf-ins-file-setting.md) |Names of your Setup information (.inf) files and the installation mode for components. |
+|[FavoritesEx](favoritesex-ins-file-setting.md) |Add a path to your icon file for **Favorites**, decide whether **Favorites** are available offline, and add URLs to each**Favorites** site. |
+|[HideCustom](hidecustom-ins-file-setting.md) |Whether to hide the globally unique identifier (GUID) for each custom component. |
+|[ISP_Security](isp-security-ins-file-setting.md) |The root certificate you’re adding to your custom package. |
+|[Media](media-ins-file-setting.md) |Types of media in which your custom installation package is available. |
+|[Proxy](proxy-ins-file-setting.md) |Whether to use a proxy server. |
+|[Security Imports](security-imports-ins-file-setting.md) |Whether to import security information for your custom package. |
+|[URL](url-ins-file-setting.md) |Whether to use an auto-configured proxy server. |
+
diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
index 06b86bce15..d62e11e507 100644
--- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
+++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
@@ -1,68 +1,72 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: support
-ms.pagetype: security
-description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-author: dansimp
-ms.author: dansimp
-ms.manager: elizapo
-ms.prod: ie11
-ms.assetid:
-ms.reviewer:
-audience: itpro
manager: dansimp
-title: What IEAK can do for you
-ms.sitesec: library
-ms.date: 05/10/2018
----
-
-# What IEAK can do for you
-
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-
-- Internal
-
-- External
-
-## IEAK 11 users
-Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
-
-IEAK 10 and newer includes the ability to install using one of the following installation modes:
-- Internal
-- External
-
-> [!NOTE]
-> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
-
-
-### Corporations
-IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
-
-Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
-
-### Internet service providers
-IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
-
-ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
-
-### Internet content providers
-IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
-
-ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
-
-### Independent software vendors
-IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
-
-ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
-
-## Additional resources
-
-- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
-- [Download IEAK 11](ieak-information-and-downloads.md)
-- [IEAK 11 overview](index.md)
-- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
-- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
-- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
-- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: support
+ms.pagetype: security
+description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+author: dansimp
+ms.author: dansimp
+ms.manager: elizapo
+ms.prod: ie11
+ms.assetid:
+ms.reviewer:
+audience: itpro
+manager: dansimp
+title: What IEAK can do for you
+ms.sitesec: library
+ms.date: 05/10/2018
+---
+
+# What IEAK can do for you
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+
+Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+
+IEAK 10 and newer includes the ability to install using one of the following installation modes:
+
+- Internal
+
+- External
+
+## IEAK 11 users
+Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
+
+IEAK 10 and newer includes the ability to install using one of the following installation modes:
+- Internal
+- External
+
+> [!NOTE]
+> IEAK 11 works in network environments, with or without Microsoft Active Directory service.
+
+
+### Corporations
+IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
+
+Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
+
+### Internet service providers
+IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
+
+ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
+
+### Internet content providers
+IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
+
+ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
+
+### Independent software vendors
+IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
+
+ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
+
+## Additional resources
+
+- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
+- [Download IEAK 11](ieak-information-and-downloads.md)
+- [IEAK 11 overview](index.md)
+- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
+- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
+- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
+- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
+- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
index e81b0eedea..03de7ed423 100644
--- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
@@ -1,31 +1,35 @@
----
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
-author: dansimp
-ms.prod: ie11
-ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.author: dansimp
-title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
-ms.sitesec: library
-ms.date: 07/27/2017
----
-
-
-# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
-The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
-
-In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads.
-
-After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
-
-
-
-
-
-
-
-
-
+---
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
+author: dansimp
+ms.prod: ie11
+ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.author: dansimp
+title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+
+The **Wizard Complete – Next Steps** page of the Internet Explorer Customization Wizard 11 lets you build your custom installation package, after you click **Finish**.
+
+In most cases, your next steps will be to prepare your files for installation from your network or from another distribution method. If you haven’t already done it, you’ll need to digitally sign any program or .cab files that are going to be distributed over the Internet or over an intranet that isn’t configured to allow downloads.
+
+After that, the steps you’ll use to distribute your customized browser will vary, depending on your version of IEAK (Internal or External) and the media you’re using to distribute the package. For more information, see the [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md).
+
+
+
+
+
+
+
+
+
diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
new file mode 100644
index 0000000000..96a04e5f70
--- /dev/null
+++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
@@ -0,0 +1,13 @@
+---
+author: pamgreen-msft
+ms.author: pamgreen
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: pamgreen
+ms.prod: ie11
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](https://docs.microsoft.com/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
\ No newline at end of file
diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md
index fe8d0d640e..72bea22625 100644
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 09/25/2019
+ms.date: 08/31/2020
ms.reviewer:
manager: dansimp
---
@@ -18,6 +18,11 @@ manager: dansimp
Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases.
+## Week of August 24, 2020
+
+### Longer device names supported in app
+You can now give devices running Windows 10, version 2004 and later a name that's up to 53 characters long.
+
## Week of September 23, 2019
### Easier way to deploy Office 365 to your classroom devices
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 69d4efc9c1..1bfa750d6f 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -145,8 +145,8 @@ To set up a test account through Windows Configuration Designer, follow these st
- username@tenant.com
4. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
- 1. In **LaunchURI**, enter the assessment URL.
- 2. In **TesterAccount**, enter the test account you entered in step 3.
+ - In **LaunchURI**, enter the assessment URL.
+ - In **TesterAccount**, enter the test account you entered in step 3.
3. Follow the steps to [build a package](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package#build-package).
@@ -166,9 +166,9 @@ This sample PowerShell script configures the tester account and the assessment U
- Use your tester account for **-UserName**
>[!NOTE]
->The account that you specify for the tester account must already exist on the device.
+>The account that you specify for the tester account must already exist on the device. For steps to create the tester account, see [Set up a dedicated test account](https://docs.microsoft.com/education/windows/take-a-test-single-pc#set-up-a-dedicated-test-account).
-```
+```powershell
$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
$obj.LaunchURI='https://www.foo.com';
$obj.TesterAccount='TestAccount';
@@ -232,7 +232,7 @@ One of the ways you can present content in a locked down manner is by embedding
1. Embed a link or create a desktop shortcut with:
- ```
+ ```http
ms-edu-secureassessment:#enforceLockdown
```
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index b343954c9a..24ec842c6c 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -17,6 +17,23 @@ ms.date: 10/17/2017
# Add unsigned app to code integrity policy
+> [!IMPORTANT]
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+>
+> Following are the major changes we are making to the service:
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
+> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
+>
+> The following functionality will be available via these PowerShell cmdlets:
+> - Get a CI policy
+> - Sign a CI policy
+> - Sign a catalog
+> - Download root cert
+> - Download history of your signing operations
+>
+> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
+
**Applies to**
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index 6a2720e035..a3e5be63f9 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -17,6 +17,23 @@ ms.date: 10/17/2017
# Device Guard signing
+> [!IMPORTANT]
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+>
+> Following are the major changes we are making to the service:
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
+> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
+>
+> The following functionality will be available via these PowerShell cmdlets:
+> - Get a CI policy
+> - Sign a CI policy
+> - Sign a catalog
+> - Download root cert
+> - Download history of your signing operations
+>
+> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
+
**Applies to**
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index c540dd2199..9d5a58c992 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -64,7 +64,7 @@ If your organization restricts computers on your network from connecting to the
starting with Windows 10, version 1607)
Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.
-For more information about how to configure WinHTTP proxy settings to devices, see [Use Group Policy to apply WinHTTP proxy settings to Windows clients](https://support.microsoft.com/en-us/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients).
+For more information about how to configure WinHTTP proxy settings to devices, see [Use Group Policy to apply WinHTTP proxy settings to Windows clients](https://support.microsoft.com/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients).
diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
index e0db1ee7c7..e0acead8f1 100644
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@@ -17,6 +17,24 @@ ms.date: 10/17/2017
# Sign code integrity policy with Device Guard signing
+> [!IMPORTANT]
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+>
+> Following are the major changes we are making to the service:
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
+> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
+>
+> The following functionality will be available via these PowerShell cmdlets:
+> - Get a CI policy
+> - Sign a CI policy
+> - Sign a catalog
+> - Download root cert
+> - Download history of your signing operations
+>
+> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
+
+
**Applies to**
- Windows 10
diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
index 1ef657304d..8e37f9eb2f 100644
--- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to Add or Remove an Administrator by Using the Management Console (Windows 10)
-description: How to add or remove an administrator by using the Management Console
+description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
index ce050e817b..c26f77e8e4 100644
--- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to Add or Upgrade Packages by Using the Management Console (Windows 10)
-description: How to add or upgrade packages by using the Management Console
+description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
index ea02c9ad1f..58a0c8b25d 100644
--- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md
+++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
@@ -1,6 +1,6 @@
---
title: Administering App-V by using Windows PowerShell (Windows 10)
-description: Administering App-V by Using Windows PowerShell
+description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index a913ce8a38..88430660e3 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -1,6 +1,6 @@
---
title: Application Publishing and Client Interaction (Windows 10)
-description: Application publishing and client interaction.
+description: Learn technical information about common App-V Client operations and their integration with the local operating system.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 6bb52f7eb3..8c4f4b2b2d 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -1,6 +1,6 @@
---
title: Available Mobile Device Management (MDM) settings for App-V (Windows 10)
-description: A list of the available MDM settings for App-V on Windows 10.
+description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 099bcdf1c4..d3c80a88c9 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -1,6 +1,6 @@
---
title: App-V Capacity Planning (Windows 10)
-description: App-V Capacity Planning
+description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index 693a058d7e..f641b232d6 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -1,6 +1,6 @@
---
title: About Client Configuration Settings (Windows 10)
-description: About Client Configuration Settings
+description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index ae887fc389..52632f558e 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -1,6 +1,6 @@
---
title: How to make a connection group ignore the package version (Windows 10)
-description: How to make a connection group ignore the package version.
+description: Learn how to make a connection group ignore the package version with the App-V Server Management Console.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index f878e5f7a4..009019e015 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to connect to the Management Console (Windows 10)
-description: How to Connect to the App-V Management Console.
+description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index ed2d425dc4..a16ae77ec8 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -1,6 +1,6 @@
---
title: About the connection group virtual environment (Windows 10)
-description: Overview of how the connection group virtual environment works.
+description: Learn how the connection group virtual environment works and how package priority is determined.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index 794615f010..60c1c72c77 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -1,6 +1,6 @@
---
title: How to convert a package created in a previous version of App-V (Windows 10)
-description: How to convert a package created in a previous version of App-V.
+description: Use the package converter utility to convert a virtual application package created in a previous version of App-V.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index 9f08b25b41..829708fe4f 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -1,6 +1,6 @@
---
title: How to create a connection group (Windows 10)
-description: How to create a connection group with the App-V Management Console.
+description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index fb72cbc762..600df5f713 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -1,6 +1,6 @@
---
title: How to create a package accelerator by using Windows PowerShell (Windows 10)
-description: How to create a package accelerator with Windows PowerShell.
+description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 29d79221c5..b7ee707a61 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -1,6 +1,6 @@
---
title: Creating and managing App-V virtualized applications (Windows 10)
-description: Creating and managing App-V virtualized applications
+description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 9747e3066d..20c62b4398 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -1,6 +1,6 @@
---
title: How to delete a connection group (Windows 10)
-description: How to delete a connection group.
+description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index 3b5027c30b..16a77e0287 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -1,6 +1,6 @@
---
title: How to delete a package in the Management Console (Windows 10)
-description: How to delete a package in the Management Console.
+description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index e866c21b92..4717b5e4ef 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10)
-description: These instructions can be used to deploy App-V databases by using SQL scripts.
+description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 0c013faf96..3c47fd5076 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -1,6 +1,6 @@
---
title: How to deploy App-V packages using electronic software distribution (Windows 10)
-description: How to deploy App-V packages using electronic software distribution.
+description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 728f4943a1..07407291fe 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Server Using a Script (Windows 10)
-description: Information, lists, and tables that can help you deploy the App-V server using a script
+description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.'
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 837d0e6a32..9284a9bfc6 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Server (Windows 10)
-description: Use these instructions to deploy the App-V Server in App-V for Windows 10.
+description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index b125e5282e..736d772dfc 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2010 by Using App-V (Windows 10)
-description: See the methods for creating Microsoft Office 2010 packages by Using App-V.
+description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 4379625ee0..fee5c296a1 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2013 by Using App-V (Windows 10)
-description: Deploying Microsoft Office 2013 by Using App-V
+description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index 4edf732dd1..8cb954168b 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -1,6 +1,6 @@
---
title: Deploying the App-V Sequencer and configuring the client (Windows 10)
-description: Deploying the App-V Sequencer and configuring the client
+description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 576764fb91..97f97275be 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -1,6 +1,6 @@
---
title: Deploying the App-V Server (Windows 10)
-description: Deploying the App-V Server in App-V for Windows 10
+description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index bb97e27472..d09d0141d8 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -1,6 +1,6 @@
---
title: App-V Deployment Checklist (Windows 10)
-description: App-V Deployment Checklist
+description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 13a82055b6..196cb62ece 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -1,6 +1,6 @@
---
title: About App-V Dynamic Configuration (Windows 10)
-description: About App-V Dynamic Configuration
+description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index 656f0264ce..601bfd8297 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -1,6 +1,6 @@
---
title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10)
-description: How to Enable Only Administrators to Publish Packages by Using an ESD
+description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index d9644226fb..c7985565d4 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -1,6 +1,6 @@
---
title: Enable the App-V in-box client (Windows 10)
-description: How to enable the App-V in-box client installed with Windows 10.
+description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 2e1556cb8a..03f116312a 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -1,6 +1,6 @@
---
title: Getting Started with App-V (Windows 10)
-description: Get started with Microsoft Application Virtualization (App-V) for Windows 10.
+description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index ab25607096..941e4f58e7 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -1,6 +1,6 @@
---
title: High-level architecture for App-V (Windows 10)
-description: High-level Architecture for App-V.
+description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index 93180520e7..7a13e789c6 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -1,6 +1,6 @@
---
title: Install the App-V Sequencer (Windows 10)
-description: Install the App-V Sequencer
+description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 5a94cbc421..9b5aa14320 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -1,6 +1,6 @@
---
title: Managing Connection Groups (Windows 10)
-description: Managing Connection Groups
+description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index dff030f470..a3600bfa4c 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -1,6 +1,6 @@
---
title: Migrating to App-V from a Previous Version (Windows 10)
-description: Migrating to App-V for Windows 10 from a previous version
+description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index e2cb4eca48..c065c9a2a5 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -1,6 +1,6 @@
---
title: How to Modify an Existing Virtual Application Package (Windows 10)
-description: How to Modify an Existing Virtual Application Package
+description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index 7fe2f3896f..816015f740 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -1,6 +1,6 @@
---
title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10)
-description: How to Modify Client Configuration by Using Windows PowerShell
+description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index 5305207fe6..e34dd4f7dc 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -1,6 +1,6 @@
---
title: How to Move the App-V Server to Another Computer (Windows 10)
-description: How to Move the App-V Server to Another Computer
+description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index c45c9ab9cf..b68da536ab 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -1,6 +1,6 @@
---
title: Operations for App-V (Windows 10)
-description: Operations for App-V
+description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 65ccf02292..ea4f11a42b 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -1,6 +1,6 @@
---
title: Performance Guidance for Application Virtualization (Windows 10)
-description: Performance Guidance for Application Virtualization
+description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index edaf668a89..4c098ba090 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -1,6 +1,6 @@
---
title: App-V Planning Checklist (Windows 10)
-description: App-V Planning Checklist
+description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index c9c570009a..2a6724419a 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -1,6 +1,6 @@
---
title: Planning to Use Folder Redirection with App-V (Windows 10)
-description: Planning to Use Folder Redirection with App-V
+description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index eaf7729f22..8aa07c226e 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -1,6 +1,6 @@
---
title: Planning for the App-V Server Deployment (Windows 10)
-description: Planning for the App-V 5.1 Server Deployment
+description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index d54d848a2c..0ebf3ccaf3 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -1,6 +1,6 @@
---
title: Planning for App-V (Windows 10)
-description: Planning for App-V
+description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index af66e545e4..29d772054e 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -1,6 +1,6 @@
---
title: Planning for High Availability with App-V Server
-description: Planning for High Availability with App-V Server
+description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
@@ -18,7 +18,7 @@ ms.topic: article
Microsoft Application Virtualization (App-V) system configurations can take advantage of options that maintain a high available service level.
-The following sections will he following sections to help you understand the options to deploy App-V in a highly available configuration.
+The following sections will help you understand the options to deploy App-V in a highly available configuration.
## Support for Microsoft SQL Server clustering
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index 4fa3630f7f..0f797ad9d7 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -1,6 +1,6 @@
---
title: Planning for the App-V Sequencer and Client Deployment (Windows 10)
-description: Planning for the App-V Sequencer and Client Deployment
+description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index da919b1dbf..91ade82d46 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -1,6 +1,6 @@
---
title: Planning for Deploying App-V with Office (Windows 10)
-description: Planning for Using App-V with Office
+description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index ee9e0b73a9..be621c72e2 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -1,6 +1,6 @@
---
title: Planning to Deploy App-V (Windows 10)
-description: Planning to Deploy App-V
+description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
index bc458a3f94..652eabd063 100644
--- a/windows/application-management/app-v/appv-prerequisites.md
+++ b/windows/application-management/app-v/appv-prerequisites.md
@@ -1,6 +1,6 @@
---
title: App-V Prerequisites (Windows 10)
-description: App-V Prerequisites
+description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index 41d35e29a0..e48f4c43c6 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -1,6 +1,6 @@
---
title: How to Publish a Connection Group (Windows 10)
-description: How to Publish a Connection Group
+description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index 57a4526ecf..41c995543f 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -1,6 +1,6 @@
---
title: About App-V Reporting (Windows 10)
-description: About App-V Reporting
+description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index ab6c1c4c32..d2dd484a97 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -1,6 +1,6 @@
---
title: App-V Security Considerations (Windows 10)
-description: App-V Security Considerations
+description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index c3e16261db..2eb919d9b5 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -1,6 +1,6 @@
---
title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
-description: How to manually sequence a new app using the App-V Sequencer
+description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 349ead11a5..2a353b9121 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -1,6 +1,6 @@
---
title: How to sequence a package by using Windows PowerShell (Windows 10)
-description: How to sequence a package by using Windows PowerShell
+description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index e0f6e0f48d..8cd6653c77 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -1,6 +1,6 @@
---
title: Technical Reference for App-V (Windows 10)
-description: Technical Reference for App-V
+description: Learn strategy and context for a number of performance optimization practices in this techincal reference for Application Virtualization (App-V).
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index fd794d1044..29240949b5 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting App-V (Windows 10)
-description: Troubleshooting App-V
+description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index 4aedf60d24..8660d86846 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -1,6 +1,6 @@
---
title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10)
-description: Upgrading to App-V for Windows 10 from an existing installation
+description: Learn about upgrading to Application Virtualization (App-V) for Windows 10 from an existing installation.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index b6691c2fc5..7dc0a15d0a 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -1,6 +1,6 @@
---
title: Using the App-V Client Management Console (Windows 10)
-description: Using the App-V Client Management Console
+description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index eac57684c6..acbd96ca6e 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -1,6 +1,6 @@
---
title: Viewing App-V Server Publishing Metadata (Windows 10)
-description: Viewing App-V Server Publishing Metadata
+description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index c27ad32063..9d150d9583 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -51,13 +51,13 @@ Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, a
| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No |
| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | |
| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No |
@@ -77,10 +77,10 @@ Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, a
| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No |
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index fef303c216..f9a00fdc84 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -1,6 +1,6 @@
---
title: Windows 10 application management
-description: Windows 10 application management
+description: Learn about managing applications in Windows 10 and Windows 10 Mobile clients, including how to remove background task resource restrictions.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 082fa016f4..4414bb6e96 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -1,8 +1,8 @@
---
title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10)
+description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises.
ms.reviewer:
manager: dansimp
-description: Learn how to enable or block Windows Mixed Reality apps.
keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"]
ms.prod: w10
ms.mktglfcycl: manage
@@ -38,11 +38,10 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
> [!NOTE]
> You must download the FOD .cab file that matches your operating system version.
- 1. Use `Add-Package` to add Windows Mixed Reality FOD to the image.
+ 1. Use `Dism` to add Windows Mixed Reality FOD to the image.
```powershell
- Add-Package
- Dism /Online /add-package /packagepath:(path)
+ Dism /Online /Add-Package /PackagePath:(path)
```
> [!NOTE]
diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md
index 91ef9b0c48..b1c60124ea 100644
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@@ -1,6 +1,6 @@
---
title: Repackage your existing win32 applications to the MSIX format.
-description: Learn how to install and use the MSIX packaging tool.
+description: Learn how to install and use the MSIX packaging tool to repackage your existing win32 applications to the MSIX format.
keywords: ["MSIX", "application", "app", "win32", "packaging tool"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index 2dc4591d51..7305ea48e2 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -1,6 +1,6 @@
---
title: Sideload LOB apps in Windows 10 (Windows 10)
-description: Sideload line-of-business apps in Windows 10.
+description: Learn how to sideload line-of-business (LOB) apps in Windows 10. When you sideload an app, you deploy a signed app package to a device.
ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 5986263a1e..29e2d01d30 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for Windows boot problems
-description: Learn how to troubleshoot when Windows is unable to boot
+description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.sitesec: library
author: dansimp
@@ -220,6 +220,9 @@ If Windows cannot load the system registry hive into memory, you must restore th
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
+> [!NOTE]
+> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
+
## Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
@@ -392,3 +395,6 @@ If the dump file shows an error that is related to a driver (for example, window
3. Navigate to C:\Windows\System32\Config\.
4. Rename the all five hives by appending ".old" to the name.
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
+
+> [!NOTE]
+> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index c04dae805a..ce50bd2b54 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -2,7 +2,7 @@
title: Advanced Troubleshooting Wireless Network Connectivity
ms.reviewer:
manager: dansimp
-description: Learn how troubleshooting of establishing Wi-Fi connections
+description: Learn how to troubleshoot Wi-Fi connections. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine.
keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index 5de58be176..ee8a044508 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -5,7 +5,6 @@ ms.prod: w10
author: Teresa-Motiv
ms.author: v-tea
ms.date: 12/13/2019
-ms.prod: w10
ms.topic: article
ms.custom:
- CI 111493
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index fa3febbd0f..3c7c213761 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -1,6 +1,6 @@
---
title: Change history for Client management (Windows 10)
-description: View changes to documentation for client management in Windows 10.
+description: Learn about new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md
index 52a10357c5..835007dc33 100644
--- a/windows/client-management/generate-kernel-or-complete-crash-dump.md
+++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md
@@ -1,6 +1,6 @@
---
title: Generate a kernel or complete crash dump
-description: Learn how to generate a kernel or complete crash dump.
+description: Learn how to generate a kernel or complete crash dump, and then use the output to troubleshoot several issues.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
index dbcd186131..b1077e5be6 100644
--- a/windows/client-management/img-boot-sequence.md
+++ b/windows/client-management/img-boot-sequence.md
@@ -1,6 +1,6 @@
---
title: Boot sequence flowchart
-description: A full-sized view of the boot sequence flowchart.
+description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 2f12bd900f..b1964db01a 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -1,6 +1,6 @@
---
title: Introduction to the page file
-description: Learn about the page files in Windows.
+description: Learn about the page files in Windows. A page file is an optional, hidden system file on a hard disk.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index 97ea145013..dc31960057 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -1,6 +1,6 @@
---
title: Manage the Settings app with Group Policy (Windows 10)
-description: Find out how to manage the Settings app with Group Policy.
+description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 476d73c694..83d6bf4268 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -171,6 +171,28 @@
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)
+#### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md)
+#### [ADMX_AppCompat](policy-csp-admx-appcompat.md)
+#### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md)
+#### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md)
+#### [ADMX_COM](policy-csp-admx-com.md)
+#### [ADMX_Cpls](policy-csp-admx-cpls.md)
+#### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md)
+#### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md)
+#### [ADMX_DnsClient](policy-csp-admx-dnsclient.md)
+#### [ADMX_DWM](policy-csp-admx-dwm.md)
+#### [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md)
+#### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
+#### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md)
+#### [ADMX_FileSys](policy-csp-admx-filesys.md)
+#### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md)
+#### [ADMX_Help](policy-csp-admx-help.md)
+#### [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md)
+#### [ADMX_kdc](policy-csp-admx-kdc.md)
+#### [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md)
+#### [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md)
+#### [ADMX_MMC](policy-csp-admx-mmc.md)
+#### [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md)
#### [ApplicationDefaults](policy-csp-applicationdefaults.md)
#### [ApplicationManagement](policy-csp-applicationmanagement.md)
#### [AppRuntime](policy-csp-appruntime.md)
diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md
index c4a1538d53..c1b570d222 100644
--- a/windows/client-management/mdm/accounts-ddf-file.md
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Accounts DDF file
-description: XML file containing the device description framework for the Accounts configuration service provider.
+description: XML file containing the device description framework (DDF) for the Accounts configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index e2f9441b9c..37f6157570 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -1,6 +1,6 @@
---
title: ActiveSync CSP
-description: ActiveSync CSP
+description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync.
ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index 6e4c1c5000..1b1ae61c78 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -1,6 +1,6 @@
---
title: ActiveSync DDF file
-description: ActiveSync DDF file
+description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider.
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md
index 2c8cfbc647..4ad36bbd99 100644
--- a/windows/client-management/mdm/alljoynmanagement-ddf.md
+++ b/windows/client-management/mdm/alljoynmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: AllJoynManagement DDF
-description: Learn the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider.
+description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider.
ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md
index d4fe92e943..69a0b61ca3 100644
--- a/windows/client-management/mdm/application-csp.md
+++ b/windows/client-management/mdm/application-csp.md
@@ -1,6 +1,6 @@
---
title: APPLICATION configuration service provider
-description: APPLICATION configuration service provider
+description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index ea0defab04..2c64c89cd9 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.technology: windows
author: ManikaDhiman
ms.reviewer: jsuther1974
-ms.date: 05/21/2019
+ms.date: 09/10/2020
---
# ApplicationControl CSP
@@ -266,7 +266,7 @@ The following is an example of Delete command:
## PowerShell and WMI Bridge Usage Guidance
-The ApplicationControl CSP can also be managed locally from PowerShell or via SCCM's task sequence scripting by leveraging the [WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
+The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
### Setup for using the WMI Bridge
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 4fe03939a0..9904301173 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -1,6 +1,6 @@
---
title: AppLocker CSP
-description: AppLocker CSP
+description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed.
ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F
ms.reviewer:
manager: dansimp
@@ -35,7 +35,7 @@ Defines restrictions for applications.
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
> [!NOTE]
-> Deploying policies via the AppLocker CSP will force a reboot during OOBE.
+> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
Additional information:
@@ -484,7 +484,7 @@ The following list shows the apps that may be included in the inbox.
-
Colour profile
+
Color profile
b08997ca-60ab-4dce-b088-f92e9c7994f3
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index ffd93b2784..4ea2ef6556 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,6 +1,6 @@
---
title: AppLocker DDF file
-description: See the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
+description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md
index d07e9eea71..3e03f501a8 100644
--- a/windows/client-management/mdm/applocker-xsd.md
+++ b/windows/client-management/mdm/applocker-xsd.md
@@ -1,6 +1,6 @@
---
title: AppLocker XSD
-description: Here's the XSD for the AppLocker CSP.
+description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized.
ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index c4844e943d..703958aa0e 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -1,6 +1,6 @@
---
title: AssignedAccess DDF
-description: AssignedAccess DDF
+description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index b84c02e4e8..07f3aa7f0f 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -1,6 +1,6 @@
---
title: BitLocker CSP
-description: BitLocker CSP
+description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index edf7ea7a4b..693a48b687 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -1,6 +1,6 @@
---
title: BitLocker DDF file
-description: BitLocker DDF file
+description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md
index 00e4fe59b5..2381889266 100644
--- a/windows/client-management/mdm/bootstrap-csp.md
+++ b/windows/client-management/mdm/bootstrap-csp.md
@@ -1,6 +1,6 @@
---
title: BOOTSTRAP CSP
-description: Use the BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
+description: Use the BOOTSTRAP configuration service provider to set the Trusted Provisioning Server (TPS) for the device.
ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md
index 9e1c5633df..908672c4ef 100644
--- a/windows/client-management/mdm/browserfavorite-csp.md
+++ b/windows/client-management/mdm/browserfavorite-csp.md
@@ -1,6 +1,6 @@
---
title: BrowserFavorite CSP
-description: BrowserFavorite CSP
+description: Learn how the BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index edb5e3bdfa..953ddf78ae 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -1,6 +1,6 @@
---
title: CellularSettings CSP
-description: CellularSettings CSP
+description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md
index f6b0b2998b..0db0669275 100644
--- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md
@@ -1,6 +1,6 @@
---
title: Certificate Renewal
-description: Find all the resources needed to provide continuous access to client certificates.
+description: Learn how to find all the resources that you need to provide continuous access to client certificates.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 6e878defd1..f709de39d0 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -17,7 +17,9 @@ ms.date: 02/28/2020
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
-> **Note** The CertificateStore configuration service provider does not support installing client certificates.
+> [!Note]
+> The CertificateStore configuration service provider does not support installing client certificates.
+> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
@@ -643,4 +645,3 @@ Configure the device to automatically renew an MDM client certificate with the s
-
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index 8601f82b20..ed787a3b0f 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,6 +1,6 @@
---
title: ClientCertificateInstall DDF file
-description: ClientCertificateInstall DDF file
+description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider.
ms.assetid: 7F65D045-A750-4CDE-A1CE-7D152AA060CA
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 02f2910d16..5063181c3f 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -1,6 +1,6 @@
---
title: CM\_CellularEntries CSP
-description: Configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP.
+description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP.
ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md
index 828700b85a..816b5c188b 100644
--- a/windows/client-management/mdm/cm-proxyentries-csp.md
+++ b/windows/client-management/mdm/cm-proxyentries-csp.md
@@ -1,6 +1,6 @@
---
title: CM\_ProxyEntries CSP
-description: Configure proxy connections on mobile devices using CM\_ProxyEntries CSP.
+description: Learn how the CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index 08d0040594..df773dcb43 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -1,6 +1,6 @@
---
title: CMPolicyEnterprise CSP
-description: CMPolicyEnterprise CSP
+description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request.
ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
index 1eb4a02627..5c1c136c23 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
@@ -1,6 +1,6 @@
---
title: CMPolicyEnterprise DDF file
-description: CMPolicyEnterprise DDF file
+description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider.
ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index fb69460ed8..0cd97100aa 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 06/03/2020
+ms.date: 09/18/2020
---
# Configuration service provider reference
@@ -1108,7 +1108,8 @@ Additional lists:
@@ -2747,7 +2748,6 @@ The following list shows the CSPs supported in HoloLens devices:
- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**.
- [AccountManagement CSP](accountmanagement-csp.md)
- [APPLICATION CSP](application-csp.md)
-- [Bitlocker-CSP](bitlocker-csp.md)9
- [CertificateStore CSP](certificatestore-csp.md)
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
- [Defender CSP](defender-csp.md)
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 05add93e6a..17b165ed51 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -1,6 +1,6 @@
---
title: CustomDeviceUI CSP
-description: CustomDeviceUI CSP
+description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application.
ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md
index 12b590ef8c..7623b155f2 100644
--- a/windows/client-management/mdm/customdeviceui-ddf.md
+++ b/windows/client-management/mdm/customdeviceui-ddf.md
@@ -1,6 +1,6 @@
---
title: CustomDeviceUI DDF
-description: CustomDeviceUI DDF
+description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider.
ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 3b8666fb79..da9959c0a2 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,6 +1,6 @@
---
title: Defender CSP
-description: See how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
+description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C
ms.reviewer:
manager: dansimp
@@ -51,7 +51,7 @@ Supported operation is Get.
**Detections/*ThreatId*/Severity**
Threat severity ID.
-The data type is a integer.
+The data type is integer.
The following list shows the supported values:
@@ -66,7 +66,7 @@ Supported operation is Get.
**Detections/*ThreatId*/Category**
Threat category ID.
-The data type is a integer.
+The data type is integer.
The following table describes the supported values:
@@ -128,7 +128,7 @@ Supported operation is Get.
**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
-The data type is a integer.
+The data type is integer.
The following list shows the supported values:
@@ -149,7 +149,7 @@ Supported operation is Get.
**Detections/*ThreatId*/ExecutionStatus**
Information about the execution status of the threat.
-The data type is a integer.
+The data type is integer.
Supported operation is Get.
@@ -170,7 +170,7 @@ Supported operation is Get.
**Detections/*ThreatId*/NumberOfDetections**
Number of times this threat has been detected on a particular client.
-The data type is a integer.
+The data type is integer.
Supported operation is Get.
@@ -182,7 +182,7 @@ Supported operation is Get.
**Health/ProductStatus**
Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
-Data type is integer. Supported operation is Get.
+The data type is integer. Supported operation is Get.
Supported product status values:
- No status = 0
@@ -233,7 +233,7 @@ Example:
**Health/ComputerState**
Provide the current state of the device.
-The data type is a integer.
+The data type is integer.
The following list shows the supported values:
@@ -394,7 +394,7 @@ When enabled or disabled exists on the client and admin moves the setting to not
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.
-The data type is a integer.
+The data type is integer.
Supported operations are Add, Delete, Get, Replace.
@@ -403,7 +403,7 @@ Valid values are:
- 0 (default) – Disable.
**Configuration/SupportLogLocation**
-The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
+The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
Data type is string.
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 60c2372aed..a63f4dec92 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,6 +1,6 @@
---
title: Defender DDF file
-description: See how the the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
+description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used.
ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
ms.reviewer:
manager: dansimp
@@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 10/21/2019
+ms.date: 08/11/2020
---
# Defender DDF file
@@ -45,7 +45,7 @@ The XML below is the current version for this CSP.
- com.microsoft/1.2/MDM/Defender
+ com.microsoft/1.3/MDM/Defender
@@ -734,6 +734,29 @@ The XML below is the current version for this CSP.
+
+ SupportLogLocation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Scan
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 285d96ddf8..11ab51bf9e 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,6 +1,6 @@
---
title: DevDetail CSP
-description: DevDetail CSP
+description: Learn how the DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server.
ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index 0ab07220b6..25be11c21b 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DevDetail DDF file
-description: DevDetail DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider.
ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
index 09d6af05e4..f24564545c 100644
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ b/windows/client-management/mdm/deviceinstanceservice-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceInstanceService CSP
-description: DeviceInstanceService CSP
+description: Learn how the DeviceInstanceService configuration service provider (CSP) provides some device inventory information that could be useful for an enterprise.
ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index 246408076e..cef65071ec 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceLock CSP
-description: DeviceLock CSP
+description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies.
ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md
index 545ebcdb9b..eb63ef11fe 100644
--- a/windows/client-management/mdm/devicelock-ddf-file.md
+++ b/windows/client-management/mdm/devicelock-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DeviceLock DDF file
-description: DeviceLock DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP).
ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md
index b81a21b82e..aec2b4cc91 100644
--- a/windows/client-management/mdm/devinfo-ddf-file.md
+++ b/windows/client-management/mdm/devinfo-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DevInfo DDF file
-description: DevInfo DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP).
ms.assetid: beb07cc6-4133-4c0f-aa05-64db2b4a004f
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 2f00912ad8..2c49067d90 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -1,6 +1,6 @@
---
title: DiagnosticLog CSP
-description: DiagnosticLog CSP
+description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area.
ms.assetid: F76E0056-3ACD-48B2-BEA1-1048C96571C3
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index 8bedac1205..f635ed44c6 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1,6 +1,6 @@
---
title: DiagnosticLog DDF
-description: DiagnosticLog DDF
+description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP).
ms.assetid: 9DD75EDA-5913-45B4-9BED-20E30CDEBE16
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index aa61f9d50b..4a45bf4eb2 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -1,6 +1,6 @@
---
title: DMAcc CSP
-description: DMAcc CSP
+description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects.
ms.assetid: 43e73d8a-6617-44e7-8459-5c96f4422e63
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md
index 232f5672cd..b10dcad38a 100644
--- a/windows/client-management/mdm/dmacc-ddf-file.md
+++ b/windows/client-management/mdm/dmacc-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DMAcc DDF file
-description: DMAcc DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP).
ms.assetid: 44dc99aa-2a85-498b-8f52-a81863765606
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 9469f12408..6ed30e55f1 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -21,11 +21,15 @@ The following diagram shows the DMClient CSP in tree format.
+
+**./Vendor/MSFT**
+All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
+
**DMClient**
Root node for the CSP.
**UpdateManagementServiceAddress**
-For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@@ -221,7 +225,7 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
**Provider/*ProviderID*/CommercialID**
-Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization..
+Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete.
@@ -265,7 +269,7 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
-Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
+Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 15b21d0197..c5ba87da90 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -1,6 +1,6 @@
---
title: DMClient DDF file
-description: DMClient DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP).
ms.assetid: A21B33AF-DB76-4059-8170-FADF2CB898A0
ms.reviewer:
manager: dansimp
@@ -1022,7 +1022,6 @@ The XML below is for Windows 10, version 1803.
-
diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
index 2e1b590d91..b9ed5780d0 100644
--- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
+++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
@@ -1,6 +1,6 @@
---
title: DMProcessConfigXMLFiltered function
-description: Configures phone settings by using OMA Client Provisioning XML.
+description: Learn how the DMProcessConfigXMLFiltered function configures phone settings by using OMA Client Provisioning XML.
Search.Refinement.TopicID: 184
ms.assetid: 31D79901-6206-454C-AE78-9B85A3B3487F
ms.reviewer:
diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md
index b395c7c3ba..65aeb1a961 100644
--- a/windows/client-management/mdm/dmsessionactions-csp.md
+++ b/windows/client-management/mdm/dmsessionactions-csp.md
@@ -1,6 +1,6 @@
---
title: DMSessionActions CSP
-description: DMSessionActions CSP
+description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md
index aef1210842..61b4b4754a 100644
--- a/windows/client-management/mdm/dmsessionactions-ddf.md
+++ b/windows/client-management/mdm/dmsessionactions-ddf.md
@@ -1,6 +1,6 @@
---
title: DMSessionActions DDF file
-description: DMSessionActions DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md
index e7d55aedc0..b6fe50d931 100644
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: DynamicManagement CSP
-description: DynamicManagement CSP
+description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md
index 3439bf646a..2690fa4e23 100644
--- a/windows/client-management/mdm/dynamicmanagement-ddf.md
+++ b/windows/client-management/mdm/dynamicmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: DynamicManagement DDF file
-description: DynamicManagement DDF file
+description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP).
ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index ddb14a8d3f..844fc1be39 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -1,6 +1,6 @@
---
title: EMAIL2 CSP
-description: EMAIL2 CSP
+description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
ms.assetid: bcfc9d98-bc2e-42c6-9b81-0b5bf65ce2b8
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md
index f24a64e3e3..4f11b5b64d 100644
--- a/windows/client-management/mdm/email2-ddf-file.md
+++ b/windows/client-management/mdm/email2-ddf-file.md
@@ -1,6 +1,6 @@
---
title: EMAIL2 DDF file
-description: EMAIL2 DDF file
+description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP).
ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index 1f420a71c4..805f9ee481 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -1,6 +1,6 @@
---
title: Enable ADMX-backed policies in MDM
-description: Use this is a step-by-step guide to configuring ADMX-backed policies in MDM.
+description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX-backed policies) in Mobile Device Management (MDM).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index f45e20d377..7a91385e10 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -1,6 +1,6 @@
---
title: Enroll a Windows 10 device automatically using Group Policy
-description: Enroll a Windows 10 device automatically using Group Policy
+description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -170,11 +170,16 @@ Requirements:
1. Download:
- - 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
+ - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
- - 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
+ - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
- - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
+ - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
+
+ - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](
+https://www.microsoft.com/download/confirmation.aspx?id=1005915)
+
+ - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
2. Install the package on the Domain Controller.
@@ -185,6 +190,10 @@ Requirements:
- 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**
- 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
+
+ - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)**
+
+ - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)**
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
index e70eed0ce5..98739efcb1 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
@@ -1,6 +1,6 @@
---
title: EnrollmentStatusTracking DDF
-description: View the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md
index 319356f336..5e7af9b60d 100644
--- a/windows/client-management/mdm/enterpriseapn-ddf.md
+++ b/windows/client-management/mdm/enterpriseapn-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAPN DDF
-description: EnterpriseAPN DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP).
ms.assetid: A953ADEF-4523-425F-926C-48DA62EB9E21
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
index 22445122ec..272f60f44f 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement CSP
-description: Examine the tree format for EnterpriseAppVManagement configuration service provider (CSP) to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
+description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
index 626981e0ff..8cf951cf55 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement DDF file
-description: EnterpriseAppVManagement DDF file
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
index 2df97c9bf4..45d11904d5 100644
--- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md
+++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseAssignedAccess CSP
-description: Use the EnterpriseAssignedAccess CSP to configure custom layouts on a device.
+description: Use the EnterpriseAssignedAccess configuration service provider (CSP) to configure custom layouts on a device.
ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md
index 782bc735ed..24cadf3270 100644
--- a/windows/client-management/mdm/enterpriseext-csp.md
+++ b/windows/client-management/mdm/enterpriseext-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExt CSP
-description: EnterpriseExt CSP
+description: Learn how the EnterpriseExt CSP allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior.
ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md
index e30ceeb37f..4b3d4b0afd 100644
--- a/windows/client-management/mdm/enterpriseext-ddf.md
+++ b/windows/client-management/mdm/enterpriseext-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExt DDF
-description: EnterpriseExt DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExt configuration service provider (CSP).
ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md
index 997493aee9..7efb54af20 100644
--- a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md
+++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseExtFileSystem DDF
-description: EnterpriseExtFileSystem DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExtFileSystem configuration service provider (CSP).
ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 5384ce0168..77b6e72ff9 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement CSP
-description: EnterpriseModernAppManagement CSP
+description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps.
ms.assetid: 9DD0741A-A229-41A0-A85A-93E185207C42
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index aa2cdb680b..237000b2f0 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement DDF
-description: EnterpriseModernAppManagement DDF
+description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP).
ms.assetid:
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
index f7544b10a4..f8b15504cc 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
@@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement XSD
-description: Use the EnterpriseModernAppManagement XSD for set application parameters.
+description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters.
ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md
index 9251f6a755..79545b45cc 100644
--- a/windows/client-management/mdm/esim-enterprise-management.md
+++ b/windows/client-management/mdm/esim-enterprise-management.md
@@ -1,6 +1,6 @@
---
title: eSIM Enterprise Management
-description: Managing eSIM devices in an enterprise
+description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
keywords: eSIM enterprise management
ms.prod: w10
ms.mktglfcycl:
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 43626310a0..1f42e3e43d 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -1,6 +1,6 @@
---
title: eUICCs CSP
-description: eUICCs CSP
+description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index 3f3e71df8d..38bb8e5f6f 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -1,6 +1,6 @@
---
title: eUICCs DDF file
-description: eUICCs DDF file
+description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP).
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 653b03b527..9bad3fe712 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -1,6 +1,6 @@
---
title: FileSystem CSP
-description: FileSystem CSP
+description: Learn how the FileSystem CSP is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device.
ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 20172a8f10..72829fc3a9 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Firewall DDF file
-description: Firewall DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Firewall configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index e24210c9e0..0124df555f 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -1,6 +1,6 @@
---
title: Device HealthAttestation CSP
-description: Device HealthAttestation CSP
+description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions.
ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index 21934f6452..d7209b1cf2 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -1,6 +1,6 @@
---
title: HealthAttestation DDF
-description: HealthAttestation DDF
+description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider.
ms.assetid: D20AC78D-D2D4-434B-B9FD-294BCD9D1DDE
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index 025ce63385..f4a14359a1 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -1,6 +1,6 @@
---
title: HotSpot CSP
-description: HotSpot CSP
+description: Learn how HotSpot configuration service provider (CSP) is used to configure and enable Internet sharing on a device.
ms.assetid: ec49dec1-fa79-420a-a9a7-e86668b3eebf
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/images/Provisioning_CSP_Defender.png b/windows/client-management/mdm/images/Provisioning_CSP_Defender.png
deleted file mode 100644
index 6ee31a8f16..0000000000
Binary files a/windows/client-management/mdm/images/Provisioning_CSP_Defender.png and /dev/null differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png
index 793b1568ff..ccf57208df 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 7b8e606d40..1c9ca9aba5 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -1,6 +1,6 @@
---
title: MDM enrollment of Windows 10-based devices
-description: MDM enrollment of Windows 10-based devices
+description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources.
MS-HAID:
- 'p\_phdevicemgmt.enrollment\_ui'
- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices'
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
index cc739605f3..e9383e871f 100644
--- a/windows/client-management/mdm/messaging-csp.md
+++ b/windows/client-management/mdm/messaging-csp.md
@@ -1,6 +1,6 @@
---
title: Messaging CSP
-description: Use the Messaging CSP to configure the ability to get text messages audited on a mobile device.
+description: Use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
index 7d719b40aa..3597ffa5fe 100644
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -1,6 +1,6 @@
---
title: MultiSIM CSP
-description: MultiSIM CSP allows the enterprise to manage devices with dual SIM single active configuration.
+description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index c4dbd6410a..dcaef76767 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -1,6 +1,6 @@
---
title: NAP CSP
-description: NAP CSP
+description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections.
ms.assetid: 82f04492-88a6-4afd-af10-a62b8d444d21
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 80a87e53d1..1b5f5ecdd4 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -1,6 +1,6 @@
---
title: NAPDEF CSP
-description: NAPDEF CSP
+description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs).
ms.assetid: 9bcc65dd-a72b-4f90-aba7-4066daa06988
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index c82e246263..43aff61d37 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -1,6 +1,6 @@
---
title: NetworkProxy CSP
-description: NetworkProxy CSP
+description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md
index 7535a3ce20..c2d3ea4a5e 100644
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@@ -1,6 +1,6 @@
---
title: NetworkQoSPolicy DDF
-description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML
+description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.assetid:
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index aa0f6ee57d..6e07246916 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -13,7 +13,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 07/01/2019
+ms.date: 08/18/2020
---
# What's new in mobile device enrollment and management
@@ -58,6 +58,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What is dmwappushsvc?](#what-is-dmwappushsvc)
- **Change history in MDM documentation**
+ - [September 2020](#september-2020)
+ - [August 2020](#august-2020)
- [July 2020](#july-2020)
- [June 2020](#june-2020)
- [May 2020](#may-2020)
@@ -314,11 +316,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
@@ -1998,10 +1992,21 @@ What data is handled by dmwappushsvc? | It is a component handling the internal
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. |
## Change history in MDM documentation
+
+### September 2020
+|New or updated topic | Description|
+|--- | ---|
+|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation: - RecoveryConsole_AllowAutomaticAdministrativeLogon - DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways - DomainMember_DigitallyEncryptSecureChannelDataWhenPossible - DomainMember_DisableMachineAccountPasswordChanges - SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems |
+
+### August 2020
+|New or updated topic | Description|
+|--- | ---|
+|[Policy CSP - System](policy-csp-system.md)|Removed the following policy settings: - System/AllowDesktopAnalyticsProcessing - System/AllowMicrosoftManagedDesktopProcessing - System/AllowUpdateComplianceProcessing - System/AllowWUfBCloudProcessing |
+
### July 2020
|New or updated topic | Description|
|--- | ---|
-|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings: - System/AllowDesktopAnalyticsProcessing - System/AllowMicrosoftManagedDesktopProcessing - System/AllowUpdateComplianceProcessing - System/AllowWUfBCloudProcessing
Updated the following policy setting: - System/AllowCommercialDataPipeline |
+|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings: - System/AllowDesktopAnalyticsProcessing - System/AllowMicrosoftManagedDesktopProcessing - System/AllowUpdateComplianceProcessing - System/AllowWUfBCloudProcessing
Updated the following policy setting: - System/AllowCommercialDataPipeline |
### June 2020
|New or updated topic | Description|
@@ -2433,9 +2438,6 @@ How do I turn if off? | The service can be stopped from the "Services" console o
diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md
index 7d58ebbea3..06a74f2979 100644
--- a/windows/client-management/mdm/nodecache-ddf-file.md
+++ b/windows/client-management/mdm/nodecache-ddf-file.md
@@ -1,6 +1,6 @@
---
title: NodeCache DDF file
-description: NodeCache DDF file
+description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP).
ms.assetid: d7605098-12aa-4423-89ae-59624fa31236
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index eef4903c8c..5a9ac5cc69 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -1,6 +1,6 @@
---
title: Personalization DDF file
-description: Learn how to set the OMA DM device description framework (DDF) for the **Personalization** configuration service provider.
+description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 5e23762281..11b03bb578 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1,6 +1,6 @@
---
title: Policy CSP
-description: Policy CSP
+description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10.
ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F
ms.reviewer:
manager: dansimp
@@ -168,6 +168,389 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_AddRemovePrograms policies
+
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index ebc28b415c..23c1bb8142 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AboveLock
-description: Learn the various AboveLock Policy CSP for Windows editions of Home, Pro, Business, and more.
+description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index fad4a74ad7..4367ed3ed6 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Accounts
-description: Policy CSP - Accounts
+description: Learn about the Policy configuration service provider (CSP). This articles describes account policies.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 9c2b674cee..d760021b1e 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ActiveXControls
-description: Learn the ins and outs of various Policy CSP - ActiveXControls settings, including SyncML, for Windows 10.
+description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
new file mode 100644
index 0000000000..36128621e3
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -0,0 +1,954 @@
+---
+title: Policy CSP - ADMX_AddRemovePrograms
+description: Policy CSP - ADMX_AddRemovePrograms
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 08/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AddRemovePrograms
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## Policy CSP - ADMX_AddRemovePrograms
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories.
+
+To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation.
+
+If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they are most likely to need.
+
+> [!NOTE]
+> This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify default category for Add New Programs*
+- GP name: *DefaultCategory*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddFromCDorFloppy**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
+
+If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components.
+
+> [!NOTE]
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the "Add a program from CD-ROM or floppy disk" option*
+- GP name: *NoAddFromCDorFloppy*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddFromInternet**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
+
+If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update.
+
+> [!NOTE]
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the "Add programs from Microsoft" option*
+- GP name: *NoAddFromInternet*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddFromNetwork**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files.
+
+If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu.
+
+If you disable this setting or do not configure it, "Add programs from your network" is available to all users.
+
+> [!NOTE]
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the "Add programs from your network" option*
+- GP name: *NoAddFromNetwork*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddPage**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
+
+If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Add New Programs page*
+- GP name: *NoAddPage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoAddRemovePrograms**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
+
+If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Add or Remove Programs*
+- GP name: *NoAddRemovePrograms*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoChooseProgramsPage**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
+
+If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the Set Program Access and Defaults page*
+- GP name: *NoChooseProgramsPage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoRemovePage**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
+
+If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Change or Remove Programs page*
+- GP name: *NoRemovePage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoServices**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
+
+If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services.
+
+> [!NOTE]
+> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Go directly to Components Wizard*
+- GP name: *NoServices*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoSupportInfo**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
+
+If you disable this setting or do not configure it, the Support Info hyperlink appears.
+
+> [!NOTE]
+> Not all programs provide a support information hyperlink.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Support Information*
+- GP name: *NoSupportInfo*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**ADMX_AddRemovePrograms/NoWindowsSetupPage**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
+
+If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Add/Remove Windows Components page*
+- GP name: *NoWindowsSetupPage*
+- GP path: *Control Panel/Add or Remove Programs*
+- GP ADMX file name: *addremoveprograms.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
new file mode 100644
index 0000000000..ef0f985661
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -0,0 +1,744 @@
+---
+title: Policy CSP - ADMX_AppCompat
+description: Policy CSP - ADMX_AppCompat
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 08/20/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AppCompat
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## Policy CSP - ADMX_AppCompat
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.
+
+You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased.
+
+If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run.
+
+If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer.
+
+If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run.
+
+> [!NOTE]
+> This setting appears only in Computer Configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent access to 16-bit applications*
+- GP name: *AppCompatPrevent16BitMach*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file.
+
+The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications.
+
+Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Program Compatibility Property Page*
+- GP name: *AppCompatRemoveProgramCompatPropPage*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Application Telemetry engine in the system.
+
+Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications.
+
+Turning Application Telemetry off by selecting "enable" will stop the collection of usage data.
+
+If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set.
+
+Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Application Telemetry*
+- GP name: *AppCompatTurnOffApplicationImpactTelemetry*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffSwitchBack**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Switchback compatibility engine in the system.
+
+Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications.
+
+Switchback is on by default.
+
+If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using.
+
+If you disable or do not configure this policy setting, the Switchback will be turned on.
+
+Reboot the system after changing the setting to ensure that your system accurately reflects those changes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off SwitchBack Compatibility Engine*
+- GP name: *AppCompatTurnOffSwitchBack*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffEngine**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the application compatibility engine in the system.
+
+The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem.
+
+Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed.
+
+The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly.
+
+This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
+
+> [!NOTE]
+> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Application Compatibility Engine*
+- GP name: *AppCompatTurnOffEngine*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Program Compatibility Assistant*
+- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_1*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
+
+If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues.
+
+If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
+
+> [!NOTE]
+> The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Program Compatibility Assistant*
+- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_2*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffUserActionRecord**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of Steps Recorder.
+
+Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection.
+
+If you enable this policy setting, Steps Recorder will be disabled.
+
+If you disable or do not configure this policy setting, Steps Recorder will be enabled.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Steps Recorder*
+- GP name: *AppCompatTurnOffUserActionRecord*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+
+
+
+**ADMX_AppCompat/AppCompatTurnOffProgramInventory**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Inventory Collector.
+
+The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems.
+
+If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled.
+
+If you disable or do not configure this policy setting, the Inventory Collector will be turned on.
+
+> [!NOTE]
+> This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Inventory Collector*
+- GP name: *AppCompatTurnOffProgramInventory*
+- GP path: *Windows Components/Application Compatibility*
+- GP ADMX file name: *AppCompat.admx*
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
new file mode 100644
index 0000000000..1417d0598a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -0,0 +1,119 @@
+---
+title: Policy CSP - ADMX_AuditSettings
+description: Policy CSP - ADMX_AuditSettings
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AuditSettings
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_AuditSettings policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled.
+
+If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
+
+If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events.
+
+Default is Not configured.
+
+> [!NOTE]
+> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Include command line in process creation events*
+- GP name: *IncludeCmdLine*
+- GP path: *System/Audit Process Creation*
+- GP ADMX file name: *AuditSettings.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
new file mode 100644
index 0000000000..627b8ea61c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
@@ -0,0 +1,203 @@
+---
+title: Policy CSP - ADMX_CipherSuiteOrder
+description: Policy CSP - ADMX_CipherSuiteOrder
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/17/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_CipherSuiteOrder
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_CipherSuiteOrder policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).
+
+If you enable this policy setting, SSL cipher suites are prioritized in the order specified.
+
+If you disable or do not configure this policy setting, default cipher suite order is used.
+
+For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](https://go.microsoft.com/fwlink/?LinkId=517265).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *SSL Cipher Suite Order*
+- GP name: *Functions*
+- GP path: *Network/SSL Configuration Settings*
+- GP ADMX file name: *CipherSuiteOrder.admx*
+
+
+
+
+
+
+
+
+**ADMX_CipherSuiteOrder/SSLCurveOrder**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.
+
+If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line.
+
+If you disable or do not configure this policy setting, the default ECC curve order is used.
+
+The default curve order is as follows:
+
+- curve25519
+- NistP256
+- NistP384
+
+To see all the curves supported on the system, enter the following command:
+
+``` cmd
+CertUtil.exe -DisplayEccCurve
+```
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *ECC Curve Order*
+- GP name: *EccCurves*
+- GP path: *Network/SSL Configuration Settings*
+- GP ADMX file name: *CipherSuiteOrder.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md
new file mode 100644
index 0000000000..d7be4635d6
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-com.md
@@ -0,0 +1,197 @@
+---
+title: Policy CSP - ADMX_COM
+description: Policy CSP - ADMX_COM
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/18/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_COM
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_COM policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
+
+Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.
+
+If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly.
+
+If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop.
+
+This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Download missing COM components*
+- GP name: *COMClassStore*
+- GP path: *System*
+- GP ADMX file name: *COM.admx*
+
+
+
+
+
+
+
+
+**ADMX_COM/AppMgmt_COM_SearchForCLSID_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
+
+Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.
+
+If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly.
+
+If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop.
+
+This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Download missing COM components*
+- GP name: *COMClassStore*
+- GP path: *System*
+- GP ADMX file name: *COM.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md
new file mode 100644
index 0000000000..21bf8792f1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-cpls.md
@@ -0,0 +1,117 @@
+---
+title: Policy CSP - ADMX_Cpls
+description: Policy CSP - ADMX_Cpls
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/26/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Cpls
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Cpls policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.
+
+> [!NOTE]
+> The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed.
+
+If you enable this policy setting, the default user account picture will display for all users on the system with no customization allowed.
+
+If you disable or do not configure this policy setting, users will be able to customize their account pictures.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Apply the default account picture to all users*
+- GP name: *UseDefaultTile*
+- GP path: *Control Panel/User Accounts*
+- GP ADMX file name: *Cpls.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
new file mode 100644
index 0000000000..9ecc74d2e9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
@@ -0,0 +1,339 @@
+---
+title: Policy CSP - ADMX_CtrlAltDel
+description: Policy CSP - ADMX_CtrlAltDel
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/26/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_CtrlAltDel
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_CtrlAltDel policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from changing their Windows password on demand.
+
+If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.
+
+However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Change Password*
+- GP name: *DisableChangePassword*
+- GP path: *System/Ctrl+Alt+Del Options*
+- GP ADMX file name: *CtrlAltDel.admx*
+
+
+
+
+
+
+
+**ADMX_CtrlAltDel/DisableLockComputer**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from locking the system.
+
+While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it.
+
+If you enable this policy setting, users cannot lock the computer from the keyboard using Ctrl+Alt+Del.
+
+If you disable or do not configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del.
+
+> [!TIP]
+> To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Lock Computer*
+- GP name: *DisableLockWorkstation*
+- GP path: *System/Ctrl+Alt+Del Options*
+- GP ADMX file name: *CtrlAltDel.admx*
+
+
+
+
+
+
+**ADMX_CtrlAltDel/DisableTaskMgr**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from starting Task Manager.
+
+Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
+
+If you enable this policy setting, users will not be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action.
+
+If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Task Manager*
+- GP name: *DisableTaskMgr*
+- GP path: *System/Ctrl+Alt+Del Options*
+- GP ADMX file name: *CtrlAltDel.admx*
+
+
+
+
+
+
+**ADMX_CtrlAltDel/NoLogoff**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting disables or removes all menu items and buttons that log the user off the system.
+
+If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu.
+
+Also, see the 'Remove Logoff on the Start Menu' policy setting.
+
+If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Logoff*
+- GP name: *NoLogoff*
+- GP path: *System/Ctrl+Alt+Del Options*
+- GP ADMX file name: *CtrlAltDel.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
new file mode 100644
index 0000000000..2d12ffdcdd
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
@@ -0,0 +1,190 @@
+---
+title: Policy CSP - ADMX_DigitalLocker
+description: Policy CSP - ADMX_DigitalLocker
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/31/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DigitalLocker
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_DigitalLocker policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Digital Locker can run.
+
+Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
+
+If you enable this setting, Digital Locker will not run.
+
+If you disable or do not configure this setting, Digital Locker can be run.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow Digital Locker to run*
+- GP name: *DoNotRunDigitalLocker*
+- GP path: *Windows Components/Digital Locker*
+- GP ADMX file name: *DigitalLocker.admx*
+
+
+
+
+
+
+**ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Digital Locker can run.
+
+Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
+
+If you enable this setting, Digital Locker will not run.
+
+If you disable or do not configure this setting, Digital Locker can be run.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow Digital Locker to run*
+- GP name: *DoNotRunDigitalLocker*
+- GP path: *Windows Components/Digital Locker*
+- GP ADMX file name: *DigitalLocker.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
new file mode 100644
index 0000000000..79b48babf1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -0,0 +1,1725 @@
+---
+title: Policy CSP - ADMX_DnsClient
+description: Policy CSP - ADMX_DnsClient
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DnsClient
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_DnsClient policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names.
+
+If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names.
+
+If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow NetBT queries for fully qualified domain names*
+- GP name: *DNS_AllowFQDNNetBiosQueries*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_AppendToMultiLabelName**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
+
+A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.
+
+For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list.
+
+If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails.
+
+If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails.
+
+If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
+
+If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow DNS suffix appending to unqualified multi-label name queries*
+- GP name: *DNS_AppendToMultiLabelName*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_Domain**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
+
+If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Connection-specific DNS suffix*
+- GP name: *DNS_Domain*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_DomainNameDevolutionLevel**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.
+
+With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
+
+The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
+
+Devolution is not enabled if a global suffix search list is configured using Group Policy.
+
+If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
+
+- The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
+- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
+
+For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
+
+If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+
+For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
+
+If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.
+
+If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Primary DNS suffix devolution level*
+- GP name: *DNS_DomainNameDevolutionLevel*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_IdnEncoding**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
+
+If this policy setting is enabled, IDNs are not converted to Punycode.
+
+If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off IDN encoding*
+- GP name: *DNS_IdnEncoding*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_IdnMapping**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.
+
+If this policy setting is enabled, IDNs are converted to the Nameprep form.
+
+If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IDN mapping*
+- GP name: *DNS_IdnMapping*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_NameServer**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
+
+To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
+
+If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *DNS servers*
+- GP name: *DNS_NameServer*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+
+If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.
+
+If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.
+
+> [!NOTE]
+> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prefer link local responses over DNS when received over a network with higher precedence*
+- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_PrimaryDnsSuffix**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
+
+To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
+
+> [!IMPORTANT]
+> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
+
+If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
+
+You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
+
+If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Primary DNS suffix*
+- GP name: *DNS_PrimaryDnsSuffix*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegisterAdapterName**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
+
+By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
+
+If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
+
+For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
+
+Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
+
+If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Register DNS records with connection-specific DNS suffix*
+- GP name: *DNS_RegisterAdapterName*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegisterReverseLookup**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS client computers will register PTR resource records.
+
+By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
+
+If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records.
+
+To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
+
+- Do not register: Computers will not attempt to register PTR resource records
+- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful.
+- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Register PTR records*
+- GP name: *DNS_RegisterReverseLookup*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationEnabled**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
+
+If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
+
+If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Dynamic update*
+- GP name: *DNS_RegistrationEnabled*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
+
+This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.
+
+During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
+
+If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
+
+If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Replace addresses in conflicts*
+- GP name: *DNS_RegistrationOverwritesInConflict*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationRefreshInterval**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
+
+Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.
+
+> [!WARNING]
+> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
+
+To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
+
+If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Registration refresh interval*
+- GP name: *DNS_RegistrationRefreshInterval*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationTtl**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
+
+To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
+
+If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *TTL value for A and PTR records*
+- GP name: *DNS_RegistrationTtl*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SearchList**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
+
+An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com."
+
+Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."
+
+To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
+
+If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.
+
+If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *DNS suffix search list*
+- GP name: *DNS_SearchList*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
+
+If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
+
+If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off smart multi-homed name resolution*
+- GP name: *DNS_SmartMultiHomedNameResolution*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SmartProtocolReorder**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+
+If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.
+
+If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
+
+> [!NOTE]
+> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off smart protocol reordering*
+- GP name: *DNS_SmartProtocolReorder*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UpdateSecurityLevel**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the security level for dynamic DNS updates.
+
+To use this policy setting, click Enabled and then select one of the following values:
+
+- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
+- Only unsecure - computers send only nonsecure dynamic updates.
+- Only secure - computers send only secure dynamic updates.
+
+If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Update security level*
+- GP name: *DNS_UpdateSecurityLevel*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com."
+
+By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
+
+If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Update top level domain zones*
+- GP name: *DNS_UpdateTopLevelDomainZones*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UseDomainNameDevolution**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.
+
+With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
+
+The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
+
+Devolution is not enabled if a global suffix search list is configured using Group Policy.
+
+If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
+
+The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
+
+Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
+
+For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
+
+If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+
+For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
+
+If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
+
+If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Primary DNS suffix devolution*
+- GP name: *DNS_UseDomainNameDevolution*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/Turn_Off_Multicast**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
+
+LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
+
+If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
+
+If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off multicast name resolution*
+- GP name: *Turn_Off_Multicast*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md
new file mode 100644
index 0000000000..037491c5a5
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-dwm.md
@@ -0,0 +1,491 @@
+---
+title: Policy CSP - ADMX_DWM
+description: Policy CSP - ADMX_DWM
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/31/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DWM
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_DWM policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the default color for window frames when the user does not specify a color.
+
+If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
+
+If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color.
+
+> [!NOTE]
+> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify a default color*
+- GP name: *DefaultColorizationColorState*
+- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring*
+- GP ADMX file name: *DWM.admx*
+
+
+
+
+
+
+
+**ADMX_DWM/DwmDefaultColorizationColor_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the default color for window frames when the user does not specify a color.
+
+If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
+
+If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color.
+
+> [!NOTE]
+> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify a default color*
+- GP name: *DefaultColorizationColorState*
+- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring*
+- GP ADMX file name: *DWM.admx*
+
+
+
+
+
+
+**ADMX_DWM/DwmDisallowAnimations_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
+
+If you enable this policy setting, window animations are turned off.
+
+If you disable or do not configure this policy setting, window animations are turned on.
+
+Changing this policy setting requires a logoff for it to be applied.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow window animations*
+- GP name: *DisallowAnimations*
+- GP path: *Windows Components/Desktop Window Manager*
+- GP ADMX file name: *DWM.admx*
+
+
+
+
+
+
+**ADMX_DWM/DwmDisallowAnimations_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
+
+If you enable this policy setting, window animations are turned off.
+
+If you disable or do not configure this policy setting, window animations are turned on.
+
+Changing this policy setting requires a logoff for it to be applied.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow window animations*
+- GP name: *DisallowAnimations*
+- GP path: *Windows Components/Desktop Window Manager*
+- GP ADMX file name: *DWM.admx*
+
+
+
+
+
+
+**ADMX_DWM/DwmDisallowColorizationColorChanges_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the ability to change the color of window frames.
+
+If you enable this policy setting, you prevent users from changing the default window frame color.
+
+If you disable or do not configure this policy setting, you allow users to change the default window frame color.
+
+> [!NOTE]
+> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow color changes*
+- GP name: *DisallowColorizationColorChanges*
+- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring*
+- GP ADMX file name: *DWM.admx*
+
+
+
+
+
+
+**ADMX_DWM/DwmDisallowColorizationColorChanges_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls the ability to change the color of window frames.
+
+If you enable this policy setting, you prevent users from changing the default window frame color.
+
+If you disable or do not configure this policy setting, you allow users to change the default window frame color.
+
+> [!NOTE]
+> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow color changes*
+- GP name: *DisallowColorizationColorChanges*
+- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring*
+- GP ADMX file name: *DWM.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
new file mode 100644
index 0000000000..ec7948b584
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
@@ -0,0 +1,116 @@
+---
+title: Policy CSP - ADMX_EncryptFilesonMove
+description: Policy CSP - ADMX_EncryptFilesonMove
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/02/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_EncryptFilesonMove
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_EncryptFilesonMove policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.
+
+If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder.
+
+If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder.
+
+This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not automatically encrypt files moved to encrypted folders*
+- GP name: *NoEncryptOnMove*
+- GP path: *System*
+- GP ADMX file name: *EncryptFilesonMove.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
new file mode 100644
index 0000000000..ba0dcbb61d
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -0,0 +1,200 @@
+---
+title: Policy CSP - ADMX_EventForwarding
+description: Policy CSP - ADMX_EventForwarding
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/17/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_EventForwarding
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_EventForwarding policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.
+
+If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments.
+
+If you disable or do not configure this policy setting, forwarder resource usage is not specified.
+
+This setting applies across all subscriptions for the forwarder (source computer).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure forwarder resource usage*
+- GP name: *MaxForwardingRate*
+- GP path: *Windows Components/Event Forwarding*
+- GP ADMX file name: *EventForwarding.admx*
+
+
+
+
+
+
+
+
+**ADMX_EventForwarding/SubscriptionManager**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager.
+
+If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.
+
+Use the following syntax when using the HTTPS protocol:
+
+``` syntax
+
+Server=https://:5986/wsman/SubscriptionManager/WEC,Refresh=,IssuerCA=.
+```
+
+When using the HTTP protocol, use port 5985.
+
+If you disable or do not configure this policy setting, the Event Collector computer will not be specified.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure target Subscription Manager*
+- GP name: *SubscriptionManager*
+- GP path: *Windows Components/Event Forwarding*
+- GP ADMX file name: *EventForwarding.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
new file mode 100644
index 0000000000..78ba8174f4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
@@ -0,0 +1,117 @@
+---
+title: Policy CSP - ADMX_FileServerVSSProvider
+description: Policy CSP - ADMX_FileServerVSSProvider
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/02/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_FileServerVSSProvider
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_FileServerVSSProvider policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled.
+
+VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares.
+
+By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted.
+
+> [!NOTE]
+> To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.*
+- GP name: *EncryptProtocol*
+- GP path: *System/File Share Shadow Copy Provider*
+- GP ADMX file name: *FileServerVSSProvider.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md
new file mode 100644
index 0000000000..c669f3279e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@@ -0,0 +1,588 @@
+---
+title: Policy CSP - ADMX_FileSys
+description: Policy CSP - ADMX_FileSys
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/02/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_FileSys
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_FileSys policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow compression on all NTFS volumes*
+- GP name: *NtfsDisableCompression*
+- GP path: *System/Filesystem/NTFS*
+- GP ADMX file name: *FileSys.admx*
+
+
+
+
+
+
+**ADMX_FileSys/DisableDeleteNotification**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation.
+
+A value of 0, the default, will enable delete notifications for all volumes.
+
+A value of 1 will disable delete notifications for all volumes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable delete notifications on all volumes*
+- GP name: *DisableDeleteNotification*
+- GP path: *System/Filesystem*
+- GP ADMX file name: *FileSys.admx*
+
+
+
+
+
+
+**ADMX_FileSys/DisableEncryption**
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow encryption on all NTFS volumes*
+- GP name: *NtfsDisableEncryption*
+- GP path: *System/Filesystem/NTFS*
+- GP ADMX file name: *FileSys.admx*
+
+
+
+
+
+
+**ADMX_FileSys/EnablePagefileEncryption**
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable NTFS pagefile encryption*
+- GP name: *NtfsEncryptPagingFile*
+- GP path: *System/Filesystem/NTFS*
+- GP ADMX file name: *FileSys.admx*
+
+
+
+
+
+
+**ADMX_FileSys/LongPathsEnabled**
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable Win32 long paths*
+- GP name: *LongPathsEnabled*
+- GP path: *System/Filesystem*
+- GP ADMX file name: *FileSys.admx*
+
+
+
+
+
+
+**ADMX_FileSys/ShortNameCreationSettings**
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
+
+If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Short name creation options*
+- GP name: *NtfsDisable8dot3NameCreation*
+- GP path: *System/Filesystem/NTFS*
+- GP ADMX file name: *FileSys.admx*
+
+
+
+
+
+
+**ADMX_FileSys/SymlinkEvaluation**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links:
+
+- Local Link to a Local Target
+- Local Link to a Remote Target
+- Remote Link to Remote Target
+- Remote Link to Local Target
+
+For more information, refer to the Windows Help section.
+
+> [!NOTE]
+> If this policy is disabled or not configured, local administrators may select the types of symbolic links to be evaluated.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Selectively allow the evaluation of a symbolic link*
+- GP name: *SymlinkLocalToLocalEvaluation*
+- GP path: *System/Filesystem*
+- GP ADMX file name: *FileSys.admx*
+
+
+
+
+
+
+**ADMX_FileSys/TxfDeprecatedFunctionality**
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable / disable TXF deprecated features*
+- GP name: *NtfsEnableTxfDeprecatedFunctionality*
+- GP path: *System/Filesystem/NTFS*
+- GP ADMX file name: *FileSys.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
new file mode 100644
index 0000000000..268a4738fe
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
@@ -0,0 +1,570 @@
+---
+title: Policy CSP - ADMX_FolderRedirection
+description: Policy CSP - ADMX_FolderRedirection
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/02/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_FolderRedirection
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_FolderRedirection policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default.
+
+If you enable this policy setting, users must manually select the files they wish to make available offline.
+
+If you disable or do not configure this policy setting, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline.
+
+> [!NOTE]
+> This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface.
+>
+> Do not enable this policy setting if users will need access to their redirected files if the network or server holding the redirected files becomes unavailable.
+>
+> If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline".
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not automatically make all redirected folders available offline*
+- GP name: *DisableFRAdminPin*
+- GP path: *System/Folder Redirection*
+- GP ADMX file name: *FolderRedirection.admx*
+
+
+
+
+
+
+**ADMX_FolderRedirection/DisableFRAdminPinByFolder**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether individual redirected shell folders are available offline by default.
+
+For the folders affected by this setting, users must manually select the files they wish to make available offline.
+
+If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline.
+
+> [!NOTE]
+> This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface.
+>
+> The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline".
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not automatically make specific redirected folders available offline*
+- GP name: *DisableFRAdminPinByFolder*
+- GP path: *System/Folder Redirection*
+- GP ADMX file name: *FolderRedirection.admx*
+
+
+
+
+
+
+**ADMX_FolderRedirection/FolderRedirectionEnableCacheRename**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location.
+
+If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location.
+
+If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable optimized move of contents in Offline Files cache on Folder Redirection server path change*
+- GP name: *FolderRedirectionEnableCacheRename*
+- GP path: *System/Folder Redirection*
+- GP ADMX file name: *FolderRedirection.admx*
+
+
+
+
+
+
+**ADMX_FolderRedirection/LocalizeXPRelativePaths_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
+
+If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder.
+
+If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder.
+
+> [!NOTE]
+> This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Use localized subfolder names when redirecting Start Menu and My Documents*
+- GP name: *LocalizeXPRelativePaths*
+- GP path: *System/Folder Redirection*
+- GP ADMX file name: *FolderRedirection.admx*
+
+
+
+
+
+
+**ADMX_FolderRedirection/LocalizeXPRelativePaths_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
+
+If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder.
+
+If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder.
+
+> [!NOTE]
+> This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Use localized subfolder names when redirecting Start Menu and My Documents*
+- GP name: *LocalizeXPRelativePaths*
+- GP path: *System/Folder Redirection*
+- GP ADMX file name: *FolderRedirection.admx*
+
+
+
+
+
+
+**ADMX_FolderRedirection/PrimaryComputer_FR_1**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
+
+To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.
+
+If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only.
+
+If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to.
+
+> [!NOTE]
+> If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Redirect folders on primary computers only*
+- GP name: *PrimaryComputerEnabledFR*
+- GP path: *System/Folder Redirection*
+- GP ADMX file name: *FolderRedirection.admx*
+
+
+
+
+
+
+**ADMX_FolderRedirection/PrimaryComputer_FR_2**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
+
+To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.
+
+If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only.
+
+If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to.
+
+> [!NOTE]
+> If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Redirect folders on primary computers only*
+- GP name: *PrimaryComputerEnabledFR*
+- GP path: *System/Folder Redirection*
+- GP ADMX file name: *FolderRedirection.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md
new file mode 100644
index 0000000000..6e38d6f3fa
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-help.md
@@ -0,0 +1,355 @@
+---
+title: Policy CSP - ADMX_Help
+description: Policy CSP - ADMX_Help
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/03/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Help
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Help policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention.
+
+Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely.
+
+If you enable this policy setting, DEP for HTML Help Executable is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable.
+
+If you disable or do not configure this policy setting, DEP is turned on for HTML Help Executable. This provides an additional security benefit, but HTML Help stops if DEP detects system memory abnormalities.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Data Execution Prevention for HTML Help Executible*
+- GP name: *DisableHHDEP*
+- GP path: *System*
+- GP ADMX file name: *Help.admx*
+
+
+
+
+
+
+**ADMX_Help/HelpQualifiedRootDir_Comp**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting.
+
+If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders.
+
+To restrict the commands to one or more folders, enable the policy setting and enter the desired folders in the text box on the Settings tab of the Policy Properties dialog box. Use a semicolon to separate folders. For example, to restrict the commands to only .chm files in the %windir%\help folder and D:\somefolder, add the following string to the edit box: "%windir%\help;D:\somefolder".
+
+> [!NOTE]
+> An environment variable may be used, (for example, %windir%), as long as it is defined on the system. For example, %programfiles% is not defined on some early versions of Windows.
+
+The "Shortcut" command is used to add a link to a Help topic, and runs executables that are external to the Help file. The "WinHelp" command is used to add a link to a Help topic, and runs a WinHLP32.exe Help (.hlp) file.
+
+To disallow the "Shortcut" and "WinHelp" commands on the entire local system, enable the policy setting and leave the text box on the Settings tab of the Policy Properties dialog box blank.
+
+If you disable or do not configure this policy setting, these commands are fully functional for all Help files.
+
+> [!NOTE]
+> Only folders on the local computer can be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm files that are stored on mapped drives or accessed using UNC paths.
+
+For additional options, see the "Restrict these programs from being launched from Help" policy.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict potentially unsafe HTML Help functions to specified folders*
+- GP name: *HelpQualifiedRootDir*
+- GP path: *System*
+- GP ADMX file name: *Help.admx*
+
+
+
+
+
+
+**ADMX_Help/RestrictRunFromHelp**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict programs from being run from online Help.
+
+If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas.
+
+If you disable or do not configure this policy setting, users can run all applications from online Help.
+
+> [!NOTE]
+> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings.
+>
+> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict these programs from being launched from Help*
+- GP name: *DisableInHelp*
+- GP path: *System*
+- GP ADMX file name: *Help.admx*
+
+
+
+
+
+
+**ADMX_Help/RestrictRunFromHelp_Comp**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict programs from being run from online Help.
+
+If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas.
+
+If you disable or do not configure this policy setting, users can run all applications from online Help.
+
+> [!NOTE]
+> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings.
+>
+> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict these programs from being launched from Help*
+- GP name: *DisableInHelp*
+- GP path: *System*
+- GP ADMX file name: *Help.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
new file mode 100644
index 0000000000..c076fcbc0b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
@@ -0,0 +1,331 @@
+---
+title: Policy CSP - ADMX_HelpAndSupport
+description: Policy CSP - ADMX_HelpAndSupport
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/03/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_HelpAndSupport
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_HelpAndSupport policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.
+
+If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements.
+
+If you disable or do not configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Active Help*
+- GP name: *NoActiveHelp*
+- GP path: *Windows Components/Online Assistance*
+- GP ADMX file name: *HelpAndSupport.admx*
+
+
+
+
+
+
+**ADMX_HelpAndSupport/HPExplicitFeedback**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can provide ratings for Help content.
+
+If you enable this policy setting, ratings controls are not added to Help content.
+
+If you disable or do not configure this policy setting, ratings controls are added to Help topics.
+
+Users can use the control to provide feedback on the quality and usefulness of the Help and Support content.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Help Ratings*
+- GP name: *NoExplicitFeedback*
+- GP path: *System/Internet Communication Management/Internet Communication settings*
+- GP ADMX file name: *HelpAndSupport.admx*
+
+
+
+
+
+
+**ADMX_HelpAndSupport/HPImplicitFeedback**
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it.
+
+If you enable this policy setting, users cannot participate in the Help Experience Improvement program.
+
+If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Help Experience Improvement Program*
+- GP name: *NoImplicitFeedback*
+- GP path: *System/Internet Communication Management/Internet Communication settings*
+- GP ADMX file name: *HelpAndSupport.admx*
+
+
+
+
+
+
+**ADMX_HelpAndSupport/HPOnlineAssistance**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows.
+
+If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online.
+
+If you disable or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabled Windows Online from the Help and Support Options page.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Online*
+- GP name: *NoOnlineAssist*
+- GP path: *System/Internet Communication Management/Internet Communication settings*
+- GP ADMX file name: *HelpAndSupport.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md
new file mode 100644
index 0000000000..eeaae0037a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-kdc.md
@@ -0,0 +1,517 @@
+---
+title: Policy CSP - ADMX_kdc
+description: Policy CSP - ADMX_kdc
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_kdc
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_kdc policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication.
+
+If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain.
+
+If you disable or do not configure this policy setting, the domain controller does not support claims, compound authentication or armoring.
+
+If you configure the "Not supported" option, the domain controller does not support claims, compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems.
+
+> [!NOTE]
+> For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messages will not use these features.
+
+If you configure "Supported", the domain controller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring.
+
+**Domain functional level requirements**
+
+For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected.
+
+When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and:
+
+- If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST).
+- If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages.
+
+> [!WARNING]
+> When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller.
+
+To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled).
+
+Impact on domain controller performance when this policy setting is enabled:
+
+- Secure Kerberos domain capability discovery is required resulting in additional message exchanges.
+- Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size.
+- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *KDC support for claims, compound authentication and Kerberos armoring*
+- GP name: *EnableCbacAndArmor*
+- GP path: *System/KDC*
+- GP ADMX file name: *kdc.admx*
+
+
+
+
+
+
+**ADMX_kdc/ForestSearch**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).
+
+If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain.
+
+If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
+
+To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Use forest search order*
+- GP name: *UseForestSearch*
+- GP path: *System/KDC*
+- GP ADMX file name: *kdc.admx*
+
+
+
+
+
+
+**ADMX_kdc/PKINITFreshness**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied.
+
+This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension.
+
+If you enable this policy setting, the following options are supported:
+
+Supported: PKInit Freshness Extension is supported on request. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID.
+
+Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients which do not support the PKInit Freshness Extension will always fail when using public key credentials.
+
+If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *KDC support for PKInit Freshness Extension*
+- GP name: *PKINITFreshness*
+- GP path: *System/KDC*
+- GP ADMX file name: *kdc.admx*
+
+
+
+
+
+
+**ADMX_kdc/RequestCompoundId**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure a domain controller to request compound authentication.
+
+> [!NOTE]
+> For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled.
+
+If you enable this policy setting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain.
+
+If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Request compound authentication*
+- GP name: *RequestCompoundId*
+- GP path: *System/KDC*
+- GP ADMX file name: *kdc.admx*
+
+
+
+
+
+
+**ADMX_kdc/TicketSizeThreshold**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log.
+
+If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy.
+
+If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Warning for large Kerberos tickets*
+- GP name: *EnableTicketSizeThreshold*
+- GP path: *System/KDC*
+- GP ADMX file name: *kdc.admx*
+
+
+
+
+
+
+**ADMX_kdc/emitlili**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the domain controller provides information about previous logons to client computers.
+
+If you enable this policy setting, the domain controller provides the information message about previous logons.
+
+For Windows Logon to leverage this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled.
+
+If you disable or do not configure this policy setting, the domain controller does not provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled.
+
+> [!NOTE]
+> Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting does not affect anything.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Provide information about previous logons to client computers*
+- GP name: *EmitLILI*
+- GP path: *System/KDC*
+- GP ADMX file name: *kdc.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
new file mode 100644
index 0000000000..0e85c41572
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
@@ -0,0 +1,381 @@
+---
+title: Policy CSP - ADMX_LanmanServer
+description: Policy CSP - ADMX_LanmanServer
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_LanmanServer
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_LanmanServer policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting determines the cipher suites used by the SMB server.
+
+If you enable this policy setting, cipher suites are prioritized in the order specified.
+
+If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used.
+
+SMB 3.11 cipher suites:
+
+- AES_128_GCM
+- AES_128_CCM
+
+SMB 3.0 and 3.02 cipher suites:
+
+- AES_128_CCM
+
+**How to modify this setting:**
+
+Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use.
+
+> [!NOTE]
+> When configuring this security setting, changes will not take effect until you restart Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Cipher suite order*
+- GP name: *CipherSuiteOrder*
+- GP path: *Network/Lanman Server*
+- GP ADMX file name: *LanmanServer.admx*
+
+
+
+
+
+
+
+
+
+
+**ADMX_LanmanServer/Pol_HashPublication**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed.
+
+Policy configuration
+
+Select one of the following:
+
+- Not Configured. With this selection, hash publication settings are not applied to file servers. In the circumstance where file servers are domain members but you do not want to enable BranchCache on all file servers, you can specify Not Configured for this domain Group Policy setting, and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual servers where you want to enable BranchCache.
+- Enabled. With this selection, hash publication is turned on for all file servers where Group Policy is applied. For example, if Hash Publication for BranchCache is enabled in domain Group Policy, hash publication is turned on for all domain member file servers to which the policy is applied. The file servers are then able to create content information for all content that is stored in BranchCache-enabled file shares.
+- Disabled. With this selection, hash publication is turned off for all file servers where Group Policy is applied.
+
+In circumstances where this policy setting is enabled, you can also select the following configuration options:
+
+- Allow hash publication for all shared folders. With this option, BranchCache generates content information for all content in all shares on the file server.
+- Allow hash publication only for shared folders on which BranchCache is enabled. With this option, content information is generated only for shared folders on which BranchCache is enabled. If you use this setting, you must enable BranchCache for individual shares in Share and Storage Management on the file server.
+- Disallow hash publication on all shared folders. With this option, BranchCache does not generate content information for any shares on the computer and does not send content information to client computers that request content.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hash Publication for BranchCache*
+- GP name: *HashPublicationForPeerCaching*
+- GP path: *Network/Lanman Server*
+- GP ADMX file name: *LanmanServer.admx*
+
+
+
+
+
+
+
+
+
+
+**ADMX_LanmanServer/Pol_HashSupportVersion**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled.
+
+If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes.
+
+Policy configuration
+
+Select one of the following:
+
+- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported.
+- Enabled. With this selection, the policy setting is applied and the hash version(s) that are specified in "Hash version supported" are generated and retrieved.
+- Disabled. With this selection, both V1 and V2 hash generation and retrieval are supported.
+
+In circumstances where this setting is enabled, you can also select and configure the following option:
+
+Hash version supported:
+
+- To support V1 content information only, configure "Hash version supported" with the value of 1.
+- To support V2 content information only, configure "Hash version supported" with the value of 2.
+- To support both V1 and V2 content information, configure "Hash version supported" with the value of 3.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hash Version support for BranchCache*
+- GP name: *HashSupportVersion*
+- GP path: *Network/Lanman Server*
+- GP ADMX file name: *LanmanServer.admx*
+
+
+
+
+
+
+**ADMX_LanmanServer/Pol_HonorCipherSuiteOrder**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client.
+
+If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences.
+
+If you disable or do not configure this policy setting, the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites.
+
+> [!NOTE]
+> When configuring this security setting, changes will not take effect until you restart Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Honor cipher suite order*
+- GP name: *HonorCipherSuiteOrder*
+- GP path: *Network/Lanman Server*
+- GP ADMX file name: *LanmanServer.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
new file mode 100644
index 0000000000..8b7e93c9b9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
@@ -0,0 +1,190 @@
+---
+title: Policy CSP - ADMX_LinkLayerTopologyDiscovery
+description: Policy CSP - ADMX_LinkLayerTopologyDiscovery
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/04/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_LinkLayerTopologyDiscovery
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_LinkLayerTopologyDiscovery policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting changes the operational behavior of the Mapper I/O network protocol driver.
+
+LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis.
+
+If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead.
+
+If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on Mapper I/O (LLTDIO) driver*
+- GP name: *EnableLLTDIO*
+- GP path: *Network/Link-Layer Topology Discovery*
+- GP ADMX file name: *LinkLayerTopologyDiscovery.admx*
+
+
+
+
+
+
+**ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting changes the operational behavior of the Responder network protocol driver.
+
+The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis.
+
+If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead.
+
+If you disable or do not configure this policy setting, the default behavior for the Responder will apply.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on Responder (RSPNDR) driver*
+- GP name: *EnableRspndr*
+- GP path: *Network/Link-Layer Topology Discovery*
+- GP ADMX file name: *LinkLayerTopologyDiscovery.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md
new file mode 100644
index 0000000000..0766bd3fa0
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-mmc.md
@@ -0,0 +1,445 @@
+---
+title: Policy CSP - ADMX_MMC
+description: Policy CSP - ADMX_MMC
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/03/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_MMC
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_MMC policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in.
+
+If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
+
+If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted.
+
+To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.
+
+- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited.
+
+To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *ActiveX Control*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMC.admx*
+
+
+
+
+
+
+**ADMX_MMC/MMC_ExtendView**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in.
+
+If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
+
+If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted.
+
+To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.
+
+- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited.
+
+To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Extended View (Web View)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMC.admx*
+
+
+
+
+
+
+**ADMX_MMC/MMC_LinkToWeb**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in.
+
+If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
+
+If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted.
+
+To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.
+
+- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited.
+
+To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Link to Web Address*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMC.admx*
+
+
+
+
+
+
+**ADMX_MMC/MMC_Restrict_Author**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from entering author mode.
+
+This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default.
+
+As a result, users cannot create console files or add or remove snap-ins. Also, because they cannot open author-mode console files, they cannot use the tools that the files contain.
+
+This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users cannot open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank MMC console window from a command prompt.
+
+If you disable this setting or do not configure it, users can enter author mode and open author-mode console files.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict the user from entering author mode*
+- GP name: *RestrictAuthorMode*
+- GP path: *Windows Components\Microsoft Management Console*
+- GP ADMX file name: *MMC.admx*
+
+
+
+
+
+
+**ADMX_MMC/MMC_Restrict_To_Permitted_Snapins**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.
+
+- If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins.
+
+To explicitly permit a snap-in, open the Restricted/Permitted snap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting in the folder is disabled or not configured, the snap-in is prohibited.
+
+- If you disable this setting or do not configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins.
+
+To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins setting folder and then disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not configured, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!NOTE]
+> If you enable this setting, and you do not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict users to the explicitly permitted list of snap-ins*
+- GP name: *RestrictToPermittedSnapins*
+- GP path: *Windows Components\Microsoft Management Console*
+- GP ADMX file name: *MMC.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
new file mode 100644
index 0000000000..6b0df4c223
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
@@ -0,0 +1,8450 @@
+---
+title: Policy CSP - ADMX_MMCSnapins
+description: Policy CSP - ADMX_MMCSnapins
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_MMCSnapins
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_MMCSnapins policies
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Administrative Templates (Computers)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ADMComputers_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Administrative Templates (Computers)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ADMUsers_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Administrative Templates (Users)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ADMUsers_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Administrative Templates (Users)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ADSI**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *ADSI Edit*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ActiveDirDomTrusts**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Active Directory Domains and Trusts*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ActiveDirSitesServices**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Active Directory Sites and Services*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ActiveDirUsersComp**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Active Directory Users and Computers*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_AppleTalkRouting**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *AppleTalk Routing*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_AuthMan**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Authorization Manager*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_CertAuth**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Certification Authority*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_CertAuthPolSet**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Certification Authority Policy Settings*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_Certs**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Certificates*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_CertsTemplate**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Certificate Templates*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ComponentServices**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Component Services*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ComputerManagement**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Computer Management*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ConnectionSharingNAT**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Connection Sharing (NAT)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_DCOMCFG**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *DCOM Configuration Extension*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_DFS**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Distributed File System*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_DHCPRelayMgmt**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *DHCP Relay Management*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_DeviceManager_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Device Manager*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_DeviceManager_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Device Manager*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_DiskDefrag**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disk Defragmenter*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_DiskMgmt**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disk Management*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_EnterprisePKI**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enterprise PKI*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_EventViewer_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Event Viewer*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_EventViewer_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Event Viewer (Windows Vista)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_EventViewer_3**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Event Viewer*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_EventViewer_4**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Event Viewer (Windows Vista)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_EventViewer_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Event Viewer (Windows Vista)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_FAXService**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *FAX Service*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_FailoverClusters**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Failover Clusters Manager*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_FolderRedirection_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Folder Redirection*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_FolderRedirection_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Folder Redirection*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_FrontPageExt**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *FrontPage Server Extensions*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Group Policy Management*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_GroupPolicySnapIn**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Group Policy Object Editor*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_GroupPolicyTab**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins.
+
+If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins.
+
+If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed.
+
+- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users will not have access to the Group Policy tab.
+
+To explicitly permit use of the Group Policy tab, enable this setting. If this setting is not configured (or disabled), the Group Policy tab is inaccessible.
+
+- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users will have access to the Group Policy tab.
+
+To explicitly prohibit use of the Group Policy tab, disable this setting. If this setting is not configured (or enabled), the Group Policy tab is accessible.
+
+When the Group Policy tab is inaccessible, it does not appear in the site, domain, or organizational unit property sheets.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Group Policy tab for Active Directory Tools*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_HRA**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Health Registration Authority (HRA)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IAS**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Internet Authentication Service (IAS)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IASLogging**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IAS Logging*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IEMaintenance_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Internet Explorer Maintenance*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IEMaintenance_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Internet Explorer Maintenance*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IGMPRouting**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IGMP Routing*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IIS**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Internet Information Services*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IPRouting**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IP Routing*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IPSecManage_GP**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IP Security Policy Management*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IPXRIPRouting**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IPX RIP Routing*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IPXRouting**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IPX Routing*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IPXSAPRouting**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IPX SAP Routing*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IndexingService**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Indexing Service*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IpSecManage**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IP Security Policy Management*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_IpSecMonitor**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *IP Security Monitor*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_LocalUsersGroups**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Local Users and Groups*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_LogicalMappedDrives**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Logical and Mapped Drives*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_NPSUI**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Network Policy Server (NPS)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_NapSnap**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *NAP Client Configuration*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_NapSnap_GP**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *NAP Client Configuration*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_Net_Framework**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *.Net Framework Configuration*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_OCSP**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Online Responder*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_OSPFRouting**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *OSPF Routing*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_PerfLogsAlerts**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Performance Logs and Alerts*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_PublicKey**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Public Key Policies*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_QoSAdmission**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *QoS Admission Control*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_RAS_DialinUser**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *RAS Dialin - User Node*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_RIPRouting**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *RIP Routing*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_RIS**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remote Installation Services*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_RRA**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Routing and Remote Access*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_RSM**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Removable Storage Management*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_RemStore**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Removable Storage*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_RemoteAccess**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remote Access*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_RemoteDesktop**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remote Desktops*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Resultant Set of Policy snap-in*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_Routing**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Routing*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SCA**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Security Configuration and Analysis*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SMTPProtocol**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *SMTP Protocol*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SNMP**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *SNMP*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ScriptsMachine_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Scripts (Startup/Shutdown)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ScriptsMachine_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Scripts (Startup/Shutdown)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ScriptsUser_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Scripts (Logon/Logoff)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ScriptsUser_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Scripts (Logon/Logoff)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SecuritySettings_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Security Settings*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SecuritySettings_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Security Settings*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SecurityTemplates**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Security Templates*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SendConsoleMessage**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Send Console Message*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ServerManager**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Server Manager*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_ServiceDependencies**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Service Dependencies*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_Services**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Services*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SharedFolders**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Shared Folders*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SharedFolders_Ext**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Shared Folders Ext*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Software Installation (Computers)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Software Installation (Computers)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Software Installation (Users)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Software Installation (Users)*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SysInfo**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *System Information*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_SysProp**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *System Properties*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_TPMManagement**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *TPM Management*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_Telephony**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Telephony*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_TerminalServices**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remote Desktop Services Configuration*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_WMI**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *WMI Control*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_WindowsFirewall**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Windows Firewall with Advanced Security*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_WindowsFirewall_GP**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Windows Firewall with Advanced Security*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_WiredNetworkPolicy**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Wired Network (IEEE 802.3) Policies*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_WirelessMon**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Wireless Monitor*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+
+
+
+**ADMX_MMCSnapins/MMC_WirelessNetworkPolicy**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
+
+
+
Business
+
+
+
+
Enterprise
+
+
+
+
Education
+
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+
+If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
+
+If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
+
+If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.
+
+- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.
+
+When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Wireless Network (IEEE 802.11) Policies*
+- GP name: *Restrict_Run*
+- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
+- GP ADMX file name: *MMCSnapins.admx*
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index ccc641c6a3..eb4a7086d1 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ApplicationDefaults
-description: Policy CSP - ApplicationDefaults
+description: Learn about various Policy configuration service provider (CSP) - ApplicationDefaults, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 6b55aa34e3..1f128f9b64 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ApplicationManagement
-description: Policy CSP - ApplicationManagement
+description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index 6e15e10e88..2a224f8bfe 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AppRuntime
-description: Control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.Policy CSP - AppRuntime.
+description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 29788ea127..63cdb4036d 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AppVirtualization
-description: Policy CSP - AppVirtualization
+description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index cb2130e778..e808f11e13 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - AttachmentManager
-description: Manage Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local).
+description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index ffd4519182..7d0997f275 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Audit
-description: Policy CSP - Audit
+description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't log on to a computer because the account is locked out.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 96f9787790..51f56ffbbb 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Authentication
-description: Policy CSP - Authentication
+description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign in screen.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 36a05de8df..15b769497e 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Autoplay
-description: Policy CSP - Autoplay
+description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 28123a7dc0..6426fba5e8 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Bluetooth
-description: Policy CSP - Bluetooth
+description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 206e99f3db..d2c9190e0b 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Browser
-description: Learn how to set the Policy CSP - Browser settings for Microsoft Edge, version 45 and earlier.
+description: Learn how to use the Policy CSP - Browser settings so you can configure Microsoft Edge browser, version 45 and earlier.
ms.topic: article
ms.prod: w10
ms.technology: windows
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 0def6900f0..93e5c5d6cf 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Camera
-description: Policy CSP - Camera
+description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 3d156b1c89..ccd0ab26c1 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Cellular
-description: Policy CSP - Cellular
+description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index ee83ad3d00..503ee130bc 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Connectivity
-description: Policy CSP - Connectivity
+description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index a822c7a831..9a867b0778 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ControlPolicyConflict
-description: Policy CSP - ControlPolicyConflict
+description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 425fcf361a..89e4817ce7 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - CredentialProviders
-description: Learn the policy CSP for credential provider set up, sign in, PIN requests and so on.
+description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index c8416c3bb9..71447f45ab 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - CredentialsDelegation
-description: Policy CSP - CredentialsDelegation
+description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 349800035d..5ccf34a12e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - CredentialsUI
-description: Policy CSP - CredentialsUI
+description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 55ceb74581..b141d4387b 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Cryptography
-description: Policy CSP - Cryptography
+description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 4c71a876a5..9da8c6ce2c 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DataProtection
-description: Policy CSP - DataProtection
+description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 28f919ead9..cb540b3415 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DataUsage
-description: Policy CSP - DataUsage
+description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index c2fb83fe51..dcea40a888 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Defender
-description: Policy CSP - Defender
+description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -2313,6 +2313,9 @@ ADMX Info:
Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
+> [!NOTE]
+> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index bdf3985bb6..4061074c76 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeliveryOptimization
-description: Policy CSP - DeliveryOptimization
+description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 0ade992a1d..dfbed26745 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Desktop
-description: Policy CSP - Desktop
+description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index 163655f59f..2eae3ea3be 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceGuard
-description: Policy CSP - DeviceGuard
+description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -90,7 +90,7 @@ Secure Launch configuration:
- 1 - Enables Secure Launch if supported by hardware
- 2 - Disables Secure Launch.
-For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows).
+For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 8277ae0425..60d4832fae 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceHealthMonitoring
-description: Learn which DeviceHealthMonitoring policies are supported for your edition of Windows.
+description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 5d67b14d8d..24c7b04cbf 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -2,7 +2,7 @@
title: Policy CSP - DeviceInstallation
ms.reviewer:
manager: dansimp
-description: Policy CSP - DeviceInstallation
+description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install.
ms.author: dansimp
ms.date: 09/27/2019
ms.topic: article
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index f95a796932..f68a71f820 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceLock
-description: Policy CSP - DeviceLock
+description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 9645a371ac..82dbb630ae 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Display
-description: Policy CSP - Display
+description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index e5511ffaa0..0d8f6b40f8 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DmaGuard
-description: Policy CSP - DmaGuard
+description: Learn how to use the Policy CSP - DmaGuard setting to provide additional security against external DMA capable devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 9e12bc04e4..18cce493eb 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Education
-description: Control graphing functionality in the Windows Calculator app.
+description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index c450267337..e9d1cb8436 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - EnterpriseCloudPrint
-description: Policy CSP - EnterpriseCloudPrint
+description: Use the Policy CSP - EnterpriseCloudPrint setting to define the maximum number of printers that should be queried from a discovery end point.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 79bbb1b92f..b4f27cc7c0 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ErrorReporting
-description: Policy CSP - ErrorReporting
+description: Learn how to use the Policy CSP - ErrorReporting setting to determine the consent behavior of Windows Error Reporting for specific event types.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 17080a877e..d86bd44edc 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - EventLogService
-description: Policy CSP - EventLogService
+description: Learn how to use the Policy CSP - EventLogService settting to control Event Log behavior when the log file reaches its maximum size.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index ff50088666..d9e072c7c3 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Experience
-description: Learn the various Experience policy CSP for Cortana, Sync, Spotlight and more.
+description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 1e1b072f7d..92829f957e 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ExploitGuard
-description: Policy CSP - ExploitGuard
+description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index 993073f411..58b2bf5175 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - FileExplorer
-description: Policy CSP - FileExplorer
+description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 63eb04a5c3..f62143e2a6 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Games
-description: Policy CSP - Games
+description: Learn to use the Policy CSP - Games setting so that you can specify whether advanced gaming services can be used.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 8893695276..dea9168e36 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Handwriting
-description: Policy CSP - Handwriting
+description: Use the Policy CSP - Handwriting setting to allow an enterprise to configure the default mode for the handwriting panel.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index a1b9bb2b78..c63c654abe 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - InternetExplorer
-description: Policy CSP - InternetExplorer
+description: Use the Policy CSP - InternetExplorer setting to add a specific list of search providers to the user's default list of search providers.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 06023ba3f8..b5331fa661 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Kerberos
-description: Policy CSP - Kerberos
+description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 5bbe648950..be0176ca9b 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - KioskBrowser
-description: Policy CSP - KioskBrowser
+description: Use the Policy CSP - KioskBrowser setting to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index 011b60a5d7..bb03f10884 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - LanmanWorkstation
-description: Policy CSP - LanmanWorkstation
+description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest logons to an SMB server.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index c4e988fd6d..bfef6090cc 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Licensing
-description: Policy CSP - Licensing
+description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 8920a8ba90..8b0191b9c6 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -45,15 +45,6 @@ manager: dansimp
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-> [!WARNING]
-> Starting in the version 1809 of Windows, this policy is deprecated.
-
-Domain member: Digitally encrypt or sign secure channel data (always)
-
-This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
-
-This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
-
-Domain member: Digitally encrypt secure channel data (when possible)
-Domain member: Digitally sign secure channel data (when possible)
-
-Default: Enabled.
-
-Notes:
-
-If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
-If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
-Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
-
-
-
-GP Info:
-- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
-- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
4
-
-
-
Business
-
4
-
-
-
Enterprise
-
4
-
-
-
Education
-
4
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-> [!WARNING]
-> Starting in the version 1809 of Windows, this policy is deprecated.
-
-Domain member: Digitally encrypt secure channel data (when possible)
-
-This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
-
-When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
-
-This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
-
-Default: Enabled.
-
-Important
-
-There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
-
-Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
-
-
-
-GP Info:
-- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
-- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
4
-
-
-
Business
-
4
-
-
-
Enterprise
-
4
-
-
-
Education
-
4
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-> [!WARNING]
-> Starting in the version 1809 of Windows, this policy is deprecated.
-
-Domain member: Disable machine account password changes
-
-Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
-
-Default: Disabled.
-
-Notes
-
-This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
-This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
-
-
-
-GP Info:
-- GP English name: *Domain member: Disable machine account password changes*
-- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
@@ -2902,60 +2637,6 @@ GP Info:
-
-**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
3
-
-
-
Business
-
3
-
-
-
Enterprise
-
3
-
-
-
Education
-
3
-
-
-
-
-
-
-
-Recovery console: Allow automatic administrative logon
-
-This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
-
-Default: This policy is not defined and automatic administrative logon is not allowed.
-
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
-
-Valid values:
-- 0 - disabled
-- 1 - enabled (allow automatic administrative logon)
-
-
-
-
-
-
**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
@@ -3095,63 +2776,6 @@ GP Info:
-
-**LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
4
-
-
-
Business
-
4
-
-
-
Enterprise
-
4
-
-
-
Education
-
4
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-System objects: Require case insensitivity for non-Windows subsystems
-
-This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX.
-
-If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive.
-
-Default: Enabled.
-
-
-
-
-
-
**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 81f3ae2ca6..bc065532ed 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - LockDown
-description: Policy CSP - LockDown
+description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 87ede82676..34c246f134 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Maps
-description: Policy CSP - Maps
+description: Use the Policy CSP - Maps setting to allow the download and update of map data over metered connections.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index 7835ef3d3c..d464f4c063 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - MSSecurityGuide
-description: See how this ADMX-backed policy requires a special SyncML format to enable or disable.
+description: Learn how Policy CSP - MSSecurityGuide, an ADMX-backed policy, requires a special SyncML format to enable or disable.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index ad6734ce70..d4a5030052 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - MSSLegacy
-description: Policy CSP - MSSLegacy
+description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 3f42c5653f..95d9af4a93 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - NetworkIsolation
-description: Policy CSP - NetworkIsolation
+description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 5da2930e76..d17cdbe1bc 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Power
-description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10.
+description: Learn how the Policy CSP - Power setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 9b20cf82c2..ca873b0393 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Privacy
-description: Policy CSP - Privacy
+description: Learn how the Policy CSP - Privacy setting allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 39e59b9ba2..340bef38c2 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteAssistance
-description: Policy CSP - RemoteAssistance
+description: Learn how the Policy CSP - RemoteAssistance setting allows you to specify a custom message to display.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index e4fefcbc62..a33ad83d33 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteDesktopServices
-description: Policy CSP - RemoteDesktopServices
+description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 6c88c68b12..fae950baec 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteManagement
-description: Policy CSP - RemoteManagement
+description: Learn how the Policy CSP - RemoteManagement setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index d6b5c1ab71..493027a454 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteProcedureCall
-description: Policy CSP - RemoteProcedureCall
+description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they are making contains authentication information.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 534584eca6..ac6201611a 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RemoteShell
-description: Policy CSP - RemoteShell
+description: Learn details about the Policy CSP - RemoteShell setting so that you can configure access to remote shells.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 86a64acdd0..204cf968b0 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - RestrictedGroups
-description: Policy CSP - RestrictedGroups
+description: Learn how the Policy CSP - RestrictedGroups setting allows an administrator to define the members that are part of a security-sensitive (restricted) group.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index e23ac51307..5fe588c782 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Search
-description: Policy CSP - Search
+description: Learn how the Policy CSP - Search setting allows search and Cortana to search cloud sources like OneDrive and SharePoint.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 81eb2aa84e..7c7feb1aeb 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Security
-description: Policy CSP - Security
+description: Learn how the Policy CSP - Security setting can specify whether to allow the runtime configuration agent to install provisioning packages.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index f1ac63ed5f..762c801e6c 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - ServiceControlManager
-description: Policy CSP - ServiceControlManager
+description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 6052b904e8..1e16989ede 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Settings
-description: Policy CSP - Settings
+description: Learn how to use the Policy CSP - Settings setting so that you can allow the user to change Auto Play settings.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 2c2fceffc1..2cdf136faf 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - SmartScreen
-description: Policy CSP - SmartScreen
+description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index aca2851f58..39cd9db038 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Speech
-description: Policy CSP - Speech
+description: Learn how the Policy CSP - Speech setting specifies whether the device will receive updates to the speech recognition and speech synthesis models.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 31872e9f67..0b6888322b 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Start
-description: Use this policy CSP to control the visibility of the Documents shortcut on the Start menu.
+description: Use the Policy CSP - Start setting to control the visibility of the Documents shortcut on the Start menu.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 0afd39b6c8..52f43753a2 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Storage
-description: Policy CSP - Storage
+description: Learn to use the Policy CSP - Storage settings to automatically clean some of the user’s files to free up disk space.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 73f8d6586a..9c05c19f4f 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 06/25/2020
+ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
---
@@ -28,9 +28,6 @@ manager: dansimp
@@ -257,88 +245,7 @@ The following list shows the supported values:
-
-
-
-**System/AllowDesktopAnalyticsProcessing**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Desktop Analytics service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
-
-
-
-ADMX Info:
-- GP English name: *Allow Desktop Analytics Processing*
-- GP name: *AllowDesktopAnalyticsProcessing*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default) – Diagnostic data is not processed by Desktop Analytics.
-- 2 – Diagnostic data is allowed to be processed by Desktop Analytics.
-
-
-
-
-
-
-
-
-
-
-
-
**System/AllowDeviceNameInDiagnosticData**
@@ -691,71 +598,6 @@ The following list shows the supported values:
-
-**System/AllowMicrosoftManagedDesktopProcessing**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Microsoft Managed Desktop service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
-> [!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
-
-
-
-The following list shows the supported values:
-
-- 0 (default)– Diagnostic data is not processed by Microsoft Managed Desktop.
-- 32 – Diagnostic data is processed by Microsoft Managed Desktop.
-
-
-
-
-
-
**System/AllowStorageCard**
@@ -950,78 +792,6 @@ ADMX Info:
-
-**System/AllowUpdateComplianceProcessing**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Update Compliance service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) setting to limit the diagnostic data that can be collected from the device.
-
-
-
-ADMX Info:
-- GP English name: *Enable Update Compliance Processing*
-- GP name: *AllowUpdateComplianceProcessing*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default)– Diagnostic data is not processed by Update Compliance.
-- 16 – Diagnostic data is allowed to be processed by Update Compliance.
-
-
-
-
-
**System/AllowUserToResetPhone**
@@ -1081,71 +851,6 @@ The following list shows the supported values:
-
-
-**System/AllowWUfBCloudProcessing**
-
-
-
-
-
Windows Edition
-
Supported?
-
-
-
Home
-
-
-
-
Pro
-
-
-
-
Business
-
-
-
-
Enterprise
-
-
-
-
Education
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in Windows 10, version 1809 through 1909. This policy setting controls whether the Windows Update for Business cloud service is configured to use Windows diagnostic data collected from devices.
-
-If you enable this policy setting and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
-
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
-
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
-
-
-
-
-The following list shows the supported values:
-- 0 (default) – Diagnostic data is not processed by Windows Update for Business cloud.
-- 8 – Diagnostic data is allowed to be processed by Windows Update for Business cloud.
-
-
-
-
-
**System/BootStartDriverInitialization**
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 19836d1ca5..a7f98a6c0c 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - SystemServices
-description: Policy CSP - SystemServices
+description: Learn how to use the Policy CSP - SystemServices setting to determine whether the service's start type is Automatic(2), Manual(3), Disabled(4).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 9787467c21..ce84398393 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TaskManager
-description: Policy CSP - TaskManager
+description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index 44a8f08bdd..ab6ec4d46c 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TaskScheduler
-description: Policy CSP - TaskScheduler
+description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index e1799a0c16..99360d692b 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TextInput
-description: Policy CSP - TextInput
+description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index d029929145..8ef9349148 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TimeLanguageSettings
-description: Learn which TimeLanguageSettings policies are supported for your edition of Windows.
+description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 881b9b3a43..c7862d0866 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Troubleshooting
-description: Policy CSP - Troubleshooting
+description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index d9187a1854..4eb6ccaccf 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Update
-description: Manage a range of active hours for when update reboots are not scheduled.
+description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -194,6 +194,9 @@ manager: dansimp
@@ -4133,6 +4136,78 @@ The following list shows the supported values:
+
+
+**Update/SetProxyBehaviorForUpdateDetection**
+
+
+
+
+
Windows Edition
+
Supported?
+
+
+
Home
+
+
+
+
Pro
+
1
+
+
+
Business
+
1
+
+
+
Enterprise
+
1
+
+
+
Education
+
1
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP based intranet server despite the vulnerabilities it presents.
+
+This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security.
+
+
+
+ADMX Info:
+- GP English name: *Select the proxy behavior for Windows Update client for detecting updates with non-TLS (HTTP) based service*
+- GP name: *Select the proxy behavior*
+- GP element: *Select the proxy behavior*
+- GP path: *Windows Components/Windows Update/Specify intranet Microsoft update service location*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - Allow system proxy only for HTTP scans.
+- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails.
+> [!NOTE]
+> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure.
+
+
+
+
+
+
**Update/TargetReleaseVersion**
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 73f3dfd843..df12efd32b 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - UserRights
-description: Policy CSP - UserRights
+description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 770316e0bc..db63da7a5a 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - Wifi
-description: Policy CSP - Wifi
+description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index 4cbed0f5f3..4f89b78bcf 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsConnectionManager
-description: Policy CSP - WindowsConnectionManager
+description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain based network and a non-domain based network simultaneously.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index d2c74ba941..a4cd3536f0 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsDefenderSecurityCenter
-description: Policy CSP - WindowsDefenderSecurityCenter
+description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index bc97e2e774..e60269d795 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsInkWorkspace
-description: Policy CSP - WindowsInkWorkspace
+description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index d3793a4bb7..c7ccb54106 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsLogon
-description: Policy CSP - WindowsLogon
+description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index cc4f87b917..b60def1361 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WindowsPowerShell
-description: Policy CSP - WindowsPowerShell
+description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index eb74f99772..3aff9aac6c 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - WirelessDisplay
-description: Policy CSP - WirelessDisplay
+description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md
index fed6d0138d..d71913160c 100644
--- a/windows/client-management/mdm/policy-csps-admx-backed.md
+++ b/windows/client-management/mdm/policy-csps-admx-backed.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 07/18/2019
+ms.date: 08/18/2020
---
# ADMX-backed policy CSPs
@@ -21,6 +21,106 @@ ms.date: 07/18/2019
>
- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+- [ADMX_AddRemovePrograms/DefaultCategory](/policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory)
+- [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy)
+- [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet)
+- [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork)
+- [ADMX_AddRemovePrograms/NoAddPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddpage)
+- [ADMX_AddRemovePrograms/NoAddRemovePrograms](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddremoveprograms)
+- [ADMX_AddRemovePrograms/NoChooseProgramsPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nochooseprogramspage)
+- [ADMX_AddRemovePrograms/NoRemovePage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noremovepage)
+- [ADMX_AddRemovePrograms/NoServices](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices)
+- [ADMX_AddRemovePrograms/NoSupportInfo](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo)
+- [ADMX_AddRemovePrograms/NoWindowsSetupPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage)
+- [ADMX_AppCompat/AppCompatPrevent16BitMach](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach)
+- [ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage)
+- [ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry)
+- [ADMX_AppCompat/AppCompatTurnOffSwitchBack](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffswitchback)
+- [ADMX_AppCompat/AppCompatTurnOffEngine](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffengine)
+- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1)
+- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2)
+- [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord)
+- [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory)
+- [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline)
+- [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile)
+- [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword)
+- [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer)
+- [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr)
+- [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff)
+- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
+- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2)
+- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
+- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname)
+- [ADMX_DnsClient/DNS_Domain](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domain)
+- [ADMX_DnsClient/DNS_DomainNameDevolutionLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domainnamedevolutionlevel)
+- [ADMX_DnsClient/DNS_IdnEncoding](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnencoding)
+- [ADMX_DnsClient/DNS_IdnMapping](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnmapping)
+- [ADMX_DnsClient/DNS_NameServer](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-nameserver)
+- [ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-preferlocalresponsesoverlowerorderdns)
+- [ADMX_DnsClient/DNS_PrimaryDnsSuffix](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-primarydnssuffix)
+- [ADMX_DnsClient/DNS_RegisterAdapterName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registeradaptername)
+- [ADMX_DnsClient/DNS_RegisterReverseLookup](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registerreverselookup)
+- [ADMX_DnsClient/DNS_RegistrationEnabled](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationenabled)
+- [ADMX_DnsClient/DNS_RegistrationOverwritesInConflict](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationoverwritesinconflict)
+- [ADMX_DnsClient/DNS_RegistrationRefreshInterval](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationrefreshinterval)
+- [ADMX_DnsClient/DNS_RegistrationTtl](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationttl)
+- [ADMX_DnsClient/DNS_SearchList](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-searchlist)
+- [ADMX_DnsClient/DNS_SmartMultiHomedNameResolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartmultihomednameresolution)
+- [ADMX_DnsClient/DNS_SmartProtocolReorder](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartprotocolreorder)
+- [ADMX_DnsClient/DNS_UpdateSecurityLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatesecuritylevel)
+- [ADMX_DnsClient/DNS_UpdateTopLevelDomainZones](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones)
+- [ADMX_DnsClient/DNS_UseDomainNameDevolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution)
+- [ADMX_DnsClient/Turn_Off_Multicast](./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast)
+- [ADMX_DWM/DwmDefaultColorizationColor_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-1)
+- [ADMX_DWM/DwmDefaultColorizationColor_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-2)
+- [ADMX_DWM/DwmDisallowAnimations_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-1)
+- [ADMX_DWM/DwmDisallowAnimations_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-2)
+- [ADMX_DWM/DwmDisallowColorizationColorChanges_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-1)
+- [ADMX_DWM/DwmDisallowColorizationColorChanges_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-2)
+- [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove)
+- [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage)
+- [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager)
+- [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
+- [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
+- [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification)
+- ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption)
+- [ADMX_FileSys/EnablePagefileEncryption](./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption)
+- [ADMX_FileSys/LongPathsEnabled](./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled)
+- [ADMX_FileSys/ShortNameCreationSettings](./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings)
+- [ADMX_FileSys/SymlinkEvaluation](./policy-csp-admx-filesys.md#admx-filesys-symlinkevaluation)
+- [ADMX_FileSys/TxfDeprecatedFunctionality](./policy-csp-admx-filesys.md#admx-filesys-txfdeprecatedfunctionality)
+- [ADMX_FolderRedirection/DisableFRAdminPin](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpin)
+- [ADMX_FolderRedirection/DisableFRAdminPinByFolder](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpinbyfolder)
+- [ADMX_FolderRedirection/FolderRedirectionEnableCacheRename](./policy-csp-admx-folderredirection.md#admx-folderredirection-folderredirectionenablecacherename)
+- [ADMX_FolderRedirection/LocalizeXPRelativePaths_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-1)
+- [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2)
+- [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1)
+- [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2)
+- [ADMX_Help/DisableHHDEP](./policy-csp-admx-help.md#admx-help-disablehhdep)
+- [ADMX_Help/HelpQualifiedRootDir_Comp](./policy-csp-admx-help.md#admx-help-helpqualifiedrootdir-comp)
+- [ADMX_Help/RestrictRunFromHelp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp)
+- [ADMX_Help/RestrictRunFromHelp_Comp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp-comp)
+- [ADMX_HelpAndSupport/ActiveHelp](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-activehelp)
+- [ADMX_HelpAndSupport/HPExplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpexplicitfeedback)
+- [ADMX_HelpAndSupport/HPImplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpimplicitfeedback)
+- [ADMX_HelpAndSupport/HPOnlineAssistance](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hponlineassistance)
+- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor)
+- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch)
+- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness)
+- [ADMX_kdc/RequestCompoundId](./policy-csp-admx-kdc.md#admx-kdc-requestcompoundid)
+- [ADMX_kdc/TicketSizeThreshold](./policy-csp-admx-kdc.md#admx-kdc-ticketsizethreshold)
+- [ADMX_kdc/emitlili](./policy-csp-admx-kdc.md#admx-kdc-emitlili)
+- [ADMX_LanmanServer/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-ciphersuiteorder)
+- [ADMX_LanmanServer/Pol_HashPublication](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashpublication)
+- [ADMX_LanmanServer/Pol_HashSupportVersion](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashsupportversion)
+- [ADMX_LanmanServer/Pol_HonorCipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-honorciphersuiteorder)
+- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio)
+- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr)
+- [ADMX_MMC/MMC_ActiveXControl](./policy-csp-admx-mmc.md#admx-mmc-mmc-activexcontrol)
+- [ADMX_MMC/MMC_ExtendView](./policy-csp-admx-mmc.md#admx-mmc-mmc-extendview)
+- [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb)
+- [ADMX_MMC/MMC_Restrict_Author](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-author)
+- [ADMX_MMC/MMC_Restrict_To_Permitted_Snapins](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-to-permitted-snapins)
- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
@@ -406,8 +506,6 @@ ms.date: 07/18/2019
- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
-- [System/AllowDesktopAnalyticsProcessing](./policy-csp-system.md#system-allowdesktopanalyticsprocessing)
-- [System/AllowUpdateComplianceProcessing](./policy-csp-system.md#system-allowppdatecomplianceprocessing)
- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md
index 328dfe2238..651f088e72 100644
--- a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md
@@ -533,9 +533,6 @@ ms.date: 07/18/2019
- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
-- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways)
-- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible)
-- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges)
- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md
index 617be22113..8e70dd707e 100644
--- a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md
+++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md
@@ -66,6 +66,7 @@ ms.date: 07/18/2019
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
+- [Update/SetProxyBehaviorForUpdateDetection](policy-csp-update.md#update-setproxybehaviorforupdatedetection)
## Related topics
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 7a522ee312..27c1aceaf0 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Policy DDF file
-description: Policy DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider.
ms.assetid: D90791B5-A772-4AF8-B058-5D566865AF8D
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md
index ad4bb24be7..656e292b4e 100644
--- a/windows/client-management/mdm/policymanager-csp.md
+++ b/windows/client-management/mdm/policymanager-csp.md
@@ -1,6 +1,6 @@
---
title: PolicyManager CSP
-description: PolicyManager CSP
+description: Learn how PolicyManager CSP is deprecated. For Windows 10 devices you should use Policy CSP, which replaces PolicyManager CSP.
ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md
index cced09bc2b..c1d9034fe8 100644
--- a/windows/client-management/mdm/proxy-csp.md
+++ b/windows/client-management/mdm/proxy-csp.md
@@ -1,6 +1,6 @@
---
title: PROXY CSP
-description: PROXY CSP
+description: Learn how the PROXY configuration service provider (CSP) is used to configure proxy connections.
ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index e7cb92b9c4..d906bca3da 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -1,6 +1,6 @@
---
title: Reboot CSP
-description: Reboot CSP
+description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings.
ms.assetid: 4E3F1225-BBAD-40F5-A1AB-FF221B6BAF48
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md
index 61d34774a7..4978cc70e0 100644
--- a/windows/client-management/mdm/registry-csp.md
+++ b/windows/client-management/mdm/registry-csp.md
@@ -1,6 +1,6 @@
---
title: Registry CSP
-description: Registry CSP
+description: In this article, learn how to use the Registry configuration service provider (CSP) to update registry settings.
ms.assetid: 2307e3fd-7b61-4f00-94e1-a639571f2c9d
ms.reviewer:
manager: dansimp
@@ -17,7 +17,8 @@ ms.date: 06/26/2017
The Registry configuration service provider is used to update registry settings. However, if there is configuration service provider that is specific to the settings that need to be updated, use the specific configuration service provider.
-> **Note** The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
+> [!NOTE]
+> The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
For Windows 10 Mobile only, this configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
@@ -32,13 +33,12 @@ For OMA Client Provisioning, the follows notes apply:
- This documentation describes the default characteristics. Additional characteristics may be added.
-- Because the **Registry** configuration service provider uses the backslash (\) character as a separator between key names, backslashes which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\).
+- Because the **Registry** configuration service provider uses the backslash (\\) character as a separator between key names, backslashes which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\\).
The default security role maps to each subnode unless specific permission is granted to the subnode. The security role for subnodes is implementation specific, and can be changed by OEMs and mobile operators.
## Microsoft Custom Elements
-
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
@@ -75,11 +75,10 @@ The following table shows the Microsoft custom elements that this configuration
-
Use these elements to build standard OMA Client Provisioning configuration XML. For information about specific elements, see MSPROV DTD elements.
-## Supported Data Types
+## Supported Data Types
The following table shows the data types this configuration service provider supports.
diff --git a/windows/client-management/mdm/registry-ddf-file.md b/windows/client-management/mdm/registry-ddf-file.md
index 164f8d4a66..6b6bc9c191 100644
--- a/windows/client-management/mdm/registry-ddf-file.md
+++ b/windows/client-management/mdm/registry-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Registry DDF file
-description: Registry DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Registry configuration service provider (CSP).
ms.assetid: 29b5cc07-f349-4567-8a77-387d816a9d15
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotelock-ddf-file.md b/windows/client-management/mdm/remotelock-ddf-file.md
index 2408353c86..d740994fc1 100644
--- a/windows/client-management/mdm/remotelock-ddf-file.md
+++ b/windows/client-management/mdm/remotelock-ddf-file.md
@@ -1,6 +1,6 @@
---
title: RemoteLock DDF file
-description: RemoteLock DDF file
+description: Learn about the OMA DM device description framework (DDF) for the RemoteLock configuration service provider (CSP).
ms.assetid: A301AE26-1BF1-4328-99AB-1ABBA4960797
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md
index 726df442f0..999d8b629e 100644
--- a/windows/client-management/mdm/remotering-csp.md
+++ b/windows/client-management/mdm/remotering-csp.md
@@ -1,6 +1,6 @@
---
title: RemoteRing CSP
-description: RemoteRing CSP
+description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device.
ms.assetid: 70015243-c07f-46cb-a0f9-4b4ad13a5609
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 3ee8a2cd21..efd8cdac2b 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -1,6 +1,6 @@
---
title: RemoteWipe CSP
-description: RemoteWipe CSP
+description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device.
ms.assetid: 6e89bd37-7680-4940-8a67-11ed062ffb70
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index 12a8de389a..36a83bee33 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -1,6 +1,6 @@
---
title: RemoteWipe DDF file
-description: RemoteWipe DDF file
+description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider.
ms.assetid: 10ec4fb7-f911-4d0c-9a8f-e96bf5faea0c
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
index 1b4f1ec6bc..ad6dd045e3 100644
--- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
+++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
@@ -1,6 +1,6 @@
---
title: REST API reference for Microsoft Store for Business
-description: REST API reference for Microsoft Store for Business--includes available operations and data structures.
+description: Learn how the REST API reference for Microsoft Store for Business includes available operations and data structures.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 132e196cc0..1c5b7912aa 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -1,6 +1,6 @@
---
title: RootCATrustedCertificates CSP
-description: RootCATrustedCertificates CSP
+description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates.
ms.assetid: F2F25DEB-9DB3-40FB-BC3C-B816CE470D61
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index a80fb75af6..166dfc0d43 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1,6 +1,6 @@
---
title: RootCATrustedCertificates DDF file
-description: RootCATrustedCertificates DDF file
+description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP).
ms.assetid: 06D8787B-D3E1-4D4B-8A21-8045A8F85C1C
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index 7d972a5a96..6585261229 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -1,6 +1,6 @@
---
title: SecureAssessment CSP
-description: SecureAssessment CSP
+description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser.
ms.assetid: 6808BE4B-961E-4638-BF15-FD7841D1C00A
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 9b8b3ce65d..9e203d4d39 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -1,6 +1,6 @@
---
title: SecurityPolicy CSP
-description: SecurityPolicy CSP
+description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS.
ms.assetid: 6014f8fe-f91b-49f3-a357-bdf625545bc9
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md
index 50b8b73b30..032469c901 100644
--- a/windows/client-management/mdm/server-requirements-windows-mdm.md
+++ b/windows/client-management/mdm/server-requirements-windows-mdm.md
@@ -1,6 +1,6 @@
---
title: Server requirements for using OMA DM to manage Windows devices
-description: Server requirements for using OMA DM to manage Windows devices
+description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM.
MS-HAID:
- 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm'
- 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm'
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index b9ea9c1767..61e26ea7a0 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -1,6 +1,6 @@
---
title: SharedPC DDF file
-description: SharedPC DDF file
+description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP).
ms.assetid: 70234197-07D4-478E-97BB-F6C651C0B970
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md
index 6ed19c97e1..3cb5d8920c 100644
--- a/windows/client-management/mdm/storage-csp.md
+++ b/windows/client-management/mdm/storage-csp.md
@@ -1,6 +1,6 @@
---
title: Storage CSP
-description: Storage CSP
+description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings.
ms.assetid: b19bdb54-53ed-42ce-a5a1-269379013f57
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md
index 9d9be94f93..17340fbf2d 100644
--- a/windows/client-management/mdm/storage-ddf-file.md
+++ b/windows/client-management/mdm/storage-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Storage DDF file
-description: See how storage configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP).
ms.assetid: 247062A3-4DFB-4B14-A3D1-68D02C27703C
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
index 0e0293bca8..2b482383bd 100644
--- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
@@ -1,6 +1,6 @@
---
title: Structure of OMA DM provisioning files
-description: Structure of OMA DM provisioning files
+description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body.
ms.assetid: 7bd3ef57-c76c-459b-b63f-c5a333ddc2bc
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 28d0b9c42e..45e335fdf9 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,6 +1,6 @@
---
title: SUPL CSP
-description: SUPL CSP
+description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client.
ms.assetid: afad0120-1126-4fc5-8e7a-64b9f2a5eae1
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index ad901702a5..b064d57b68 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -1,6 +1,6 @@
---
title: TenantLockdown DDF file
-description: XML file containing the device description framework for the TenantLockdown configuration service provider.
+description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index 36f46f9df1..f97ea96a00 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -1,6 +1,6 @@
---
title: TPMPolicy CSP
-description: TPMPolicy CSP
+description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md
index fcdb101ad2..fd463047e0 100644
--- a/windows/client-management/mdm/tpmpolicy-ddf-file.md
+++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md
@@ -1,6 +1,6 @@
---
title: TPMPolicy DDF file
-description: TPMPolicy DDF file
+description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
index 808685d36d..1432ef811a 100644
--- a/windows/client-management/mdm/uefi-ddf.md
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -1,6 +1,6 @@
---
title: UEFI DDF file
-description: UEFI DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 310b0192c6..183c89df6d 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -1,6 +1,6 @@
---
title: Update CSP
-description: Update CSP
+description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates.
ms.assetid: F1627B57-0749-47F6-A066-677FDD3D7359
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index 731adeeb60..44f580cb4f 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Update DDF file
-description: Update DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP).
ms.assetid: E236E468-88F3-402A-BA7A-834ED38DD388
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 7b8f154145..60702d4f69 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -1,6 +1,6 @@
---
title: VPN CSP
-description: VPN CSP
+description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
ms.assetid: 05ca946a-1c0b-4e11-8d7e-854e14740707
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md
index b3e8aef28c..889a2f8f25 100644
--- a/windows/client-management/mdm/vpn-ddf-file.md
+++ b/windows/client-management/mdm/vpn-ddf-file.md
@@ -1,6 +1,6 @@
---
title: VPN DDF file
-description: VPN DDF file
+description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP).
ms.assetid: 728FCD9C-0B8E-413B-B54A-CD72C9F2B9EE
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index c7555d45bf..df6b648e6e 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -1,6 +1,6 @@
---
title: VPNv2 CSP
-description: VPNv2 CSP
+description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
ms.assetid: 51ADA62E-1EE5-4F15-B2AD-52867F5B2AD2
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index e4c93ad525..51a1739756 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -1,6 +1,6 @@
---
title: w4 APPLICATION CSP
-description: w4 APPLICATION CSP
+description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
ms.assetid: ef42b82a-1f04-49e4-8a48-bd4e439fc43a
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index eff35b4fd4..20f21f79bc 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -1,6 +1,6 @@
---
title: w7 APPLICATION CSP
-description: w7 APPLICATION CSP
+description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account.
ms.assetid: 10f8aa16-5c89-455d-adcd-d7fb45d4e768
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 70f5a31c7c..174c633ba4 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,6 +1,6 @@
---
title: WiFi CSP
-description: The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device.
+description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device.
ms.assetid: f927cb5f-9555-4029-838b-03fb68937f06
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index 2c51e50a62..8dff039754 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WiFi DDF file
-description: WiFi DDF file
+description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP).
ms.assetid: 00DE1DA7-23DE-4871-B3F0-28EB29A62D61
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md
index abcbb92914..f6b422ce6d 100644
--- a/windows/client-management/mdm/win32appinventory-csp.md
+++ b/windows/client-management/mdm/win32appinventory-csp.md
@@ -1,6 +1,6 @@
---
title: Win32AppInventory CSP
-description: Win32AppInventory CSP
+description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device.
ms.assetid: C0DEDD51-4EAD-4F8E-AEE2-CBE9658BCA22
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md
index b22b7284fa..1f20685d75 100644
--- a/windows/client-management/mdm/win32appinventory-ddf-file.md
+++ b/windows/client-management/mdm/win32appinventory-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Win32AppInventory DDF file
-description: See the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP).
ms.assetid: F6BCC10B-BFE4-40AB-AEEE-34679A4E15B0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index 2570e65b3d..be248b783d 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -1,6 +1,6 @@
---
-title: Win32CompatibilityAppraiser CSP
-description:
+title: Win32CompatibilityAppraiser CSP
+description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 2508fa2863..c68424cd04 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -1,6 +1,6 @@
---
title: WindowsAdvancedThreatProtection CSP
-description: WindowsAdvancedThreatProtection CSP
+description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
ms.assetid: 6C3054CA-9890-4C08-9DB6-FBEEB74699A8
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index 583ea67e75..5877c32e22 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -1,6 +1,6 @@
---
title: WindowsAdvancedThreatProtection DDF file
-description: WindowsAdvancedThreatProtection DDF file
+description: Learn how the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 63373c2a34..59f3f7c19e 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -30,9 +30,11 @@ Turn on Microsoft Defender Application Guard in Enterprise Mode.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-The following list shows the supported values:
-- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
-- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
+The following list shows the supported values:
+- 0 - Disable Microsoft Defender Application Guard
+- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
+- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY
+- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments
**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
@@ -297,4 +299,4 @@ ADMX Info:
- GP name: *AuditApplicationGuard*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
-
\ No newline at end of file
+
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index e519d6dcd8..847d9d69c8 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WindowsDefenderApplicationGuard DDF file
-description: See the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider.
+description: learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 58a5040b72..b46f76e935 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,6 +1,6 @@
---
title: WindowsLicensing CSP
-description: WindowsLicensing CSP
+description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios.
ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index c5037971d9..7b8cb3437e 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WindowsLicensing DDF file
-description: WindowsLicensing DDF file
+description: Learn about the OMA DM device description framework (DDF) for the WindowsLicensing configuration service provider (CSP).
ms.assetid: 2A24C922-A167-4CEE-8F74-08E7453800D2
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 3462504a92..239c1f1379 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -1,11 +1,11 @@
---
title: New policies for Windows 10 (Windows 10)
-description: Windows 10 includes the following new policies for management.
+description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components.
ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
ms.reviewer:
manager: dansimp
ms.author: dansimp
-keywords: ["MDM", "Group Policy"]
+keywords: ["MDM", "Group Policy", "GP"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -21,9 +21,12 @@ ms.topic: reference
**Applies to**
- Windows 10
-- Windows 10 Mobile
-Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591).
+As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference".
+
+For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004.
+
+The latest [group policy reference for Windows 10 version 2004 is available here](https://www.microsoft.com/download/101451).
## New Group Policy settings in Windows 10, version 1903
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index d0806c95e1..4f7a2555e1 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -1,6 +1,6 @@
---
title: Configure system failure and recovery options in Windows
-description: Learn about the system failure and recovery options in Windows.
+description: Learn how to configure the actions that Windows takes when a system error occurs and what the recovery options are.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index 667776a7f8..0bdc744338 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -1,6 +1,6 @@
---
title: Advanced advice for Stop error 7B, Inaccessible_Boot_Device
-description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device
+description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error may occur after some changes are made to the computer,
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md
index 57398a2764..7ff85215fe 100644
--- a/windows/client-management/troubleshoot-networking.md
+++ b/windows/client-management/troubleshoot-networking.md
@@ -2,7 +2,7 @@
title: Advanced troubleshooting for Windows networking
ms.reviewer:
manager: dansimp
-description: Learn how to troubleshoot networking
+description: Learn about the topics that are available to help you troubleshoot common problems related to Windows networking.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 3fe73d34ec..7eabdf0411 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -2,7 +2,7 @@
title: Advanced troubleshooting for Stop error or blue screen error issue
ms.reviewer:
manager: dansimp
-description: Learn how to troubleshoot Stop error or blue screen issues.
+description: Learn advanced options for troubleshooting Stop errors, also known as blue screen errors or bug check errors.
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
index fe6e32ce59..0d4f00510a 100644
--- a/windows/client-management/troubleshoot-tcpip-connectivity.md
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot TCP/IP connectivity
-description: Learn how to troubleshoot TCP/IP connectivity.
+description: Learn how to troubleshoot TCP/IP connectivity and what you should do if you come across TCP reset in a network capture.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index 739c11d55d..f708897928 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -16,6 +16,9 @@ manager: dansimp
In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
+> [Note]
+> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide).
+
To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index a33d808d2f..40c0ff98c2 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot port exhaustion issues
-description: Learn how to troubleshoot port exhaustion issues.
+description: Learn how to troubleshoot port exhaustion issues. Port exhaustion occurs when all the ports on a machine are used.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index 7fd5ff086f..37b4dfa002 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot Remote Procedure Call (RPC) errors
-description: Learn how to troubleshoot Remote Procedure Call (RPC) errors
+description: Learn how to troubleshoot Remote Procedure Call (RPC) errors when connecting to Windows Management Instrumentation (WMI), SQL Server, or during a remote connection.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md
index 378c042899..48a95cd4e0 100644
--- a/windows/client-management/troubleshoot-tcpip.md
+++ b/windows/client-management/troubleshoot-tcpip.md
@@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for TCP/IP issues
-description: Learn how to troubleshoot common problems in a TCP/IP network environment.
+description: Learn how to troubleshoot common problems in a TCP/IP network environment, for example by collecting data using Network monitor.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index 3a584ddb8f..b50e43abae 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -2,7 +2,7 @@
title: Advanced troubleshooting for Windows-based computer freeze issues
ms.reviewer:
manager: dansimp
-description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers.
+description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers. Also, you can learn how to diagnose, identify, and fix these issues.
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md
index 0e39db4b3f..bd9f09bfd0 100644
--- a/windows/client-management/troubleshoot-windows-startup.md
+++ b/windows/client-management/troubleshoot-windows-startup.md
@@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for Windows start-up issues
-description: Learn how to troubleshoot Windows start-up issues.
+description: Learn advanced options for how to troubleshoot common Windows start-up issues, like system crashes and freezes.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index 8c30018235..9274477150 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting Windows 10
-description: Get links to troubleshooting articles for Windows 10 issues
+description: Learn where to find information about troubleshooting Windows 10 issues, for example Bitlocker issues and bugcheck errors.
ms.reviewer: kaushika
manager: dansimp
ms.prod: w10
@@ -131,4 +131,4 @@ This section contains advanced troubleshooting topics and links to help you reso
## Other Resources
-### [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-support-solutions)
+- [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-troubleshooting)
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 700b2a16cc..875beb0290 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -2,7 +2,7 @@
title: Change history for Configure Windows 10 (Windows 10)
ms.reviewer:
manager: dansimp
-description: View changes to documentation for configuring Windows 10.
+description: Learn about new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
index 0a333370c9..fe5186f6cf 100644
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@@ -1,6 +1,6 @@
---
title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
-description: Windows 10 has a brand new Start experience.
+description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience.
ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 037e389943..1e6ec5db4b 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -1,6 +1,6 @@
---
title: Configure Windows 10 taskbar (Windows 10)
-description: Admins can pin apps to users' taskbars.
+description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
keywords: ["taskbar layout","pin apps"]
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 9b2fcfb9c3..d89ff3d90b 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -1,6 +1,6 @@
---
title: Send feedback about Cortana at work back to Microsoft
-description: How to send feedback to Microsoft about Cortana at work.
+description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues..
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 5158bc4ada..5d8a6999f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -32,11 +32,11 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
>[!NOTE]
>A microphone isn't required to use Cortana.
-|**Software** |**Minimum version** |
+| Software | Minimum version |
|---------|---------|
|Client operating system | Desktop: - Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview#how-is-my-data-processed-by-cortana) below. |
-|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. |
-|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. |
+|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
+|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
## Signing in using Azure AD
@@ -55,7 +55,7 @@ Cortana enterprise services that can be accessed using Azure AD through Cortana
The table below describes the data handling for Cortana enterprise services.
-|**Name** |**Description** |
+| Name | Description |
|---------|---------|
|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio is not retained. |
|**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. |
@@ -66,7 +66,7 @@ The table below describes the data handling for Cortana enterprise services.
#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening?
>[!NOTE]
->The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. You can still click on the microphone button to use your voice with Cortana.
+>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index de5e546244..e2dfea47f8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -1,5 +1,5 @@
---
-title: Sign-in to Azure AD and manage notebook with Cortana (Windows 10)
+title: Sign into Azure AD, enable the wake word, and try a voice query
description: A test scenario walking you through signing in and managing the notebook.
ms.prod: w10
ms.mktglfcycl: manage
@@ -7,7 +7,6 @@ ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
-ms.date: 10/05/2017
ms.reviewer:
manager: dansimp
---
@@ -15,7 +14,7 @@ manager: dansimp
# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
>[!NOTE]
->The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon.
+>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account.
@@ -23,13 +22,13 @@ manager: dansimp
3. Toggle **Wake word** to **On** and close Cortana.
-4. Say **Cortana, what can you do?**.
+4. Say **Cortana, what can you do?**
-When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
+ When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
-:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
+ :::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
-Once you finish saying your query, Cortana will open with the result.
+ Once you finish saying your query, Cortana will open with the result.
>[!NOTE]
->If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
\ No newline at end of file
+>If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index c319385e70..0ff39ff4c9 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -3,7 +3,7 @@ title: Configure kiosks and digital signs on Windows desktop editions (Windows 1
ms.reviewer:
manager: dansimp
ms.author: dansimp
-description: Learn about the methods for configuring kiosks.
+description: In this article, learn about the methods for configuring kiosks and digital signs on Windows desktop editions.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index f4825a951e..f7be8e35d2 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -1,6 +1,6 @@
---
title: Prepare a device for kiosk configuration (Windows 10)
-description: Some tips for device settings on kiosks.
+description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
index 6a42e81700..479b7ca96e 100644
--- a/windows/configuration/kiosk-troubleshoot.md
+++ b/windows/configuration/kiosk-troubleshoot.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot kiosk mode issues (Windows 10)
-description: Tips for troubleshooting multi-app kiosk configuration.
+description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md
index 34b8124fa2..02e0fbc422 100644
--- a/windows/configuration/kiosk-validate.md
+++ b/windows/configuration/kiosk-validate.md
@@ -1,6 +1,6 @@
---
title: Validate kiosk configuration (Windows 10)
-description: Learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
+description: In this article, learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
manager: dansimp
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 3de98a5454..f82225a7fe 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -1,6 +1,6 @@
---
title: Provision PCs with apps (Windows 10)
-description: Add apps to a Windows 10 provisioning package.
+description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 035bdf4010..5b464073a9 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -1,6 +1,6 @@
---
title: Create a provisioning package (Windows 10)
-description: Learn how to create a provisioning package for Windows 10. Provisioning packages let you quickly configure a device without having to install a new image.
+description: Learn how to create a provisioning package for Windows 10, which lets you quickly configure a device without having to install a new image.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -21,44 +21,46 @@ manager: dansimp
- Windows 10
- Windows 10 Mobile
-You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile.
+You can use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings, and then apply the provisioning package to a device running Windows 10 or Windows 10 Mobile.
>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
->[!TIP]
->We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain.
+> [!TIP]
+> We recommend creating a local admin account when you develop and test your provisioning package. We also recommend using a *least privileged* domain user account to join devices to the Active Directory domain.
## Start a new project
1. Open Windows Configuration Designer:
- - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
+ - From either the Start screen or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut.
or
- - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+ - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then select **ICD.exe**.
2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
- - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards).
+ - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices:
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
- [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
- [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)
+
+ Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards).
- - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.*
+ - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.)
>[!TIP]
> You can start a project in the simple wizard editor and then switch the project to the advanced editor.
>
> 
-3. Enter a name for your project, and then click **Next**.
+3. Enter a name for your project, and then select **Next**.
-4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options.
+4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options.
| Windows edition | Settings available for customization | Provisioning package can apply to |
@@ -71,12 +73,12 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
| Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) |
-5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then click **Finish**.
+5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**.
>[!TIP]
->**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly.
+>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages that you create so you don't have to reconfigure those common settings repeatedly.
-After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane and you can then configure settings for the package.
+6. In the **Available customizations** pane, you can now configure settings for the package.
@@ -94,7 +96,7 @@ The process for configuring settings is similar for all settings. The following
Expand a category.
Select a setting.
-
Enter a value for the setting. Click Add if the button is displayed.
+
Enter a value for the setting. Select Add if the button is displayed.
Some settings, such as this example, require additional information. In Available customizations, select the value you just created, and additional settings are displayed.
When the setting is configured, it is displayed in the Selected customizations pane.
@@ -106,39 +108,39 @@ For details on each specific setting, see [Windows Provisioning settings referen
## Build package
-1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**.
+1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**.
-2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**:
+2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**:
- **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
- - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field.
+ - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field.
- **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages).
- **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0.
-3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections.
+3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional:
- **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen.
- - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
+ - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package.
>[!NOTE]
- >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
+ >You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
>
>If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
-4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
+4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
-5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+5. In the **Build the provisioning package** window, select **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
- If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page.
+ If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page.
-6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+6. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build.
-7. When you are done, click **Finish** to close the wizard and go back to the Customizations page.
+7. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page.
**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index f1bf1aa323..6fc7d6234f 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -1,6 +1,6 @@
---
title: Install Windows Configuration Designer (Windows 10)
-description: Learn how to install and run Windows Configuration Designer.
+description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index beff0509a7..37c8bc44ec 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -1,6 +1,6 @@
---
title: Troubleshoot Start menu errors
-description: Troubleshoot common errors related to Start menu in Windows 10.
+description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
index e6a50b2114..110c062f57 100644
--- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -1,6 +1,6 @@
---
title: Administering UE-V with Windows PowerShell and WMI
-description: Administering UE-V with Windows PowerShell and WMI
+description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md
index 16154765ea..1b5004453a 100644
--- a/windows/configuration/ue-v/uev-administering-uev.md
+++ b/windows/configuration/ue-v/uev-administering-uev.md
@@ -1,6 +1,6 @@
---
title: Administering UE-V
-description: Administering UE-V
+description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index f9fb4b255a..6ca0f295e0 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -1,6 +1,6 @@
---
title: Application Template Schema Reference for UE-V
-description: Application Template Schema Reference for UE-V
+description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index 63eb702d7d..508ec913ff 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -1,6 +1,6 @@
---
title: Changing the Frequency of UE-V Scheduled Tasks
-description: Changing the Frequency of UE-V Scheduled Tasks
+description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
index fbaeb69dbf..169e31075f 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
@@ -1,6 +1,6 @@
---
title: Configuring UE-V with Group Policy Objects
-description: Configuring UE-V with Group Policy Objects
+description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects.
author: trudyha
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index f7f8d70fcd..f4ea6d2a5f 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Configuring UE-V with Microsoft Endpoint Configuration Manager
-description: Configuring UE-V with Microsoft Endpoint Configuration Manager
+description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Endpoint Configuration Manager.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index b8b4cb2155..04cf9543e9 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -1,6 +1,6 @@
---
title: Deploy required UE-V features
-description: Deploy required UE-V features
+description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example a network share that stores and retrieves user settings.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 918e018c48..8e69dc7cf3 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -1,6 +1,6 @@
---
title: Use UE-V with custom applications
-description: Use UE-V with custom applications
+description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index d67437503a..28a035aedc 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -1,6 +1,6 @@
---
title: Get Started with UE-V
-description: Get Started with UE-V
+description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
index 9b68ba56df..375f826703 100644
--- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
+++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
@@ -1,6 +1,6 @@
---
title: Manage Administrative Backup and Restore in UE-V
-description: Manage Administrative Backup and Restore in UE-V
+description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index 71d5841793..7189998439 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -1,6 +1,6 @@
---
title: Manage Configurations for UE-V
-description: Manage Configurations for UE-V
+description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md
index 4ed5adc8a9..f9658f41a1 100644
--- a/windows/configuration/ue-v/uev-migrating-settings-packages.md
+++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md
@@ -1,6 +1,6 @@
---
title: Migrating UE-V settings packages
-description: Migrating UE-V settings packages
+description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index c56e5b4661..e10d20444a 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -1,6 +1,6 @@
---
title: Prepare a UE-V Deployment
-description: Prepare a UE-V Deployment
+description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index d61075e1bd..663afd38eb 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -1,6 +1,6 @@
---
title: User Experience Virtualization (UE-V) Release Notes
-description: Read the latest information required to successfully install and use UE-V that is not included in the User Experience Virtualization (UE-V) documentation.
+description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that is not included in the UE-V documentation.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md
index a036b1fb3a..c45565ed5f 100644
--- a/windows/configuration/ue-v/uev-security-considerations.md
+++ b/windows/configuration/ue-v/uev-security-considerations.md
@@ -1,6 +1,6 @@
---
title: Security Considerations for UE-V
-description: Security Considerations for UE-V
+description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V).
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md
index ebe670eed2..02d1e1d9af 100644
--- a/windows/configuration/ue-v/uev-sync-methods.md
+++ b/windows/configuration/ue-v/uev-sync-methods.md
@@ -1,6 +1,6 @@
---
title: Sync Methods for UE-V
-description: Sync Methods for UE-V
+description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md
index 3dc4b9727d..0db2a582f4 100644
--- a/windows/configuration/ue-v/uev-sync-trigger-events.md
+++ b/windows/configuration/ue-v/uev-sync-trigger-events.md
@@ -1,6 +1,6 @@
---
title: Sync Trigger Events for UE-V
-description: Sync Trigger Events for UE-V
+description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index 3bf783b488..32ed4968bb 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -1,6 +1,6 @@
---
title: Synchronizing Microsoft Office with UE-V
-description: Synchronizing Office with UE-V
+description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md
index 5edddf9109..8f0feaabbc 100644
--- a/windows/configuration/ue-v/uev-technical-reference.md
+++ b/windows/configuration/ue-v/uev-technical-reference.md
@@ -1,6 +1,6 @@
---
title: Technical Reference for UE-V
-description: Technical Reference for UE-V
+description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V).
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md
index 9683bd771d..7e51868298 100644
--- a/windows/configuration/ue-v/uev-troubleshooting.md
+++ b/windows/configuration/ue-v/uev-troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting UE-V
-description: Find resources for troubleshooting UE-V for Windows 10.
+description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
index c17b9cedb8..09d5d2ace3 100644
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@@ -1,6 +1,6 @@
---
title: What's New in UE-V for Windows 10, version 1607
-description: What's New in UE-V for Windows 10, version 1607
+description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index fa8b0e3378..5fcc9f5c5c 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -44,7 +44,7 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
- **Feature suggestions, fun facts, tips**
- The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
+ The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 27f6ebfdc9..f0c84c9b9b 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -44,7 +44,7 @@
- name: Define your servicing strategy
href: update/plan-define-strategy.md
- name: Delivery Optimization for Windows 10 updates
- href: update/waas-delivery-optimization-reference.md
+ href: update/waas-delivery-optimization.md
- name: Best practices for feature updates on mission-critical devices
href: update/feature-update-mission-critical.md
- name: Windows 10 deployment considerations
@@ -67,7 +67,9 @@
- name: Prepare to deploy Windows 10 updates
href: update/prepare-deploy-windows.md
- name: Evaluate and update infrastructure
- href: update/update-policies.md
+ href: update/update-policies.md
+ - name: Update Baseline
+ href: update/update-baseline.md
- name: Set up Delivery Optimization for Windows 10 updates
href: update/waas-delivery-optimization-setup.md
- name: Configure BranchCache for Windows 10 updates
@@ -137,6 +139,8 @@
href: update/waas-wufb-group-policy.md
- name: Update Windows 10 media with Dynamic Update
href: update/media-dynamic-update.md
+ - name: Migrating and acquiring optional Windows content
+ href: update/optional-content.md
- name: Manage the Windows 10 update experience
items:
- name: Manage device restarts after updates
diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md
index ae15ebea5c..a57384798d 100644
--- a/windows/deployment/Windows-AutoPilot-EULA-note.md
+++ b/windows/deployment/Windows-AutoPilot-EULA-note.md
@@ -1,24 +1,25 @@
----
-title: Windows Autopilot EULA dismissal – important information
-description: A notice about EULA dismissal through Windows Autopilot
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-ms.localizationpriority: medium
-ms.audience: itpro
author: greg-lindsay
-ms.date: 08/22/2017
-ms.reviewer:
-manager: laurawi
-audience: itpro
author: greg-lindsay
-ROBOTS: noindex,nofollow
-ms.topic: article
----
-# Windows Autopilot EULA dismissal – important information
-
->[!IMPORTANT]
->The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
-
-Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
-
-By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.
+---
+title: Windows Autopilot EULA dismissal – important information
+description: A notice about EULA dismissal through Windows Autopilot
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: medium
+ms.audience: itpro
+author: greg-lindsay
+ms.date: 08/22/2017
+ms.reviewer:
+manager: laurawi
+audience: itpro
+ROBOTS: noindex,nofollow
+ms.topic: article
+---
+# Windows Autopilot EULA dismissal – important information
+
+>[!IMPORTANT]
+>The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
+
+Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
+
+By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you did not suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you have not validly acquired a license for the software from Microsoft or its licensed distributors.
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index f9405d730e..834b94f381 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -11,8 +11,6 @@ audience: itpro
author: greg-lindsay
ms.reviewer:
manager: laurawi
-audience: itpro
-author: greg-lindsay
ms.author: greglin
ms.topic: article
---
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index e90d44c1b5..c28a60db3e 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -3,7 +3,7 @@ title: Deploy Windows 10 with Microsoft 365
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Concepts about deploying Windows 10 for M365
+description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index cff09982d3..519ec80cf3 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -3,7 +3,7 @@ title: What's new in Windows 10 deployment
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Changes and new features related to Windows 10 deployment
+description: Use this article to learn about new solutions and online content related to deploying Windows 10 in your organization.
keywords: deployment, automate, tools, configure, news
ms.mktglfcycl: deploy
ms.localizationpriority: medium
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 7e06abfeb3..5c8972471b 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -170,13 +170,16 @@ The key to successful management of drivers for MDT, as well as for any other de
On **MDT01**:
+> [!IMPORTANT]
+> In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system.
+
1. Using File Explorer, create the **D:\\drivers** folder.
2. In the **D:\\drivers** folder, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the new Windows 10 x64 folder, create the following folder structure:
- - Dell
+ - Dell Inc
- Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
@@ -185,8 +188,8 @@ On **MDT01**:
- Microsoft Corporation
- Surface Laptop
->[!NOTE]
->Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
+> [!NOTE]
+> Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
### Create the logical driver structure in MDT
@@ -197,7 +200,7 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
2. WinPE x64
3. Windows 10 x64
3. In the **Windows 10 x64** folder, create the following folder structure:
- - Dell
+ - Dell Inc
- Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
@@ -281,12 +284,12 @@ The folder you select and all sub-folders will be checked for drivers, expanding
For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
-In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell\\Latitude E7450** folder.
+In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc\\Latitude E7450** folder.
On **MDT01**:
-1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell** node.
-2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell\\Latitude E7450**
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node.
+2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
### For the HP EliteBook 8560w
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index 52cc80097b..e0be07468b 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -1,18 +1,18 @@
---
title: Deploy Windows To Go in your organization (Windows 10)
-description: This topic helps you to deploy Windows To Go in your organization.
+description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface as well as programatically with Windows PowerShell.
ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f
ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
+ms.author: greglin
keywords: deployment, USB, device, BitLocker, workspace, security, data
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobility
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index d86cb2f2a8..5afc9307e1 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -1,17 +1,17 @@
---
title: Deploy Windows 10 (Windows 10)
-description: Learn Windows 10 upgrade options for planning, testing, and managing your production deployment.
+description: Learn about Windows 10 upgrade options for planning, testing, and managing your production deployment.
ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
+ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 45e00f7007..94f57a06d9 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -1,6 +1,6 @@
---
title: MBR2GPT
-description: How to use the MBR2GPT tool to convert MBR partitions to GPT
+description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk.
keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,11 +8,11 @@ ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
+ms.author: greglin
ms.date: 02/13/2018
ms.reviewer:
manager: laurawi
ms.audience: itpro
-author: greg-lindsay
ms.localizationpriority: medium
ms.topic: article
---
diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
index a202b57844..f128528a5e 100644
--- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
+++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
@@ -1,238 +1,239 @@
----
-title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
-description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
-ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Available Data Types and Operators in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
-
-## Available Data Types
-
-
-Customized-compatibility databases in Compatibility Administrator contain the following data types.
-
-- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
-
-- **String**. A series of alphanumeric characters manipulated as a group.
-
-- **Boolean**. A value of True or False.
-
-## Available Attributes
-
-
-The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
-
-
-
-
-
-
-
-
-
-
Attribute
-
Description
-
Data type
-
-
-
-
-
APP_NAME
-
Name of the application.
-
String
-
-
-
DATABASE_GUID
-
Unique ID for your compatibility database.
-
String
-
-
-
DATABASE_INSTALLED
-
Specifies if you have installed the database.
-
Boolean
-
-
-
DATABASE_NAME
-
Descriptive name of your database.
-
String
-
-
-
DATABASE_PATH
-
Location of the database on your computer.
-
String
-
-
-
FIX_COUNT
-
Number of compatibility fixes applied to a specific application.
-
Integer
-
-
-
FIX_NAME
-
Name of your compatibility fix.
-
String
-
-
-
MATCH_COUNT
-
Number of matching files for a specific, fixed application.
-
Integer
-
-
-
MATCHFILE_NAME
-
Name of a matching file used to identify a specific, fixed application.
-
String
-
-
-
MODE_COUNT
-
Number of compatibility modes applied to a specific, fixed application.
-
Integer
-
-
-
MODE_NAME
-
Name of your compatibility mode.
-
String
-
-
-
PROGRAM_APPHELPTYPE
-
Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.
-
Integer
-
-
-
PROGRAM_DISABLED
-
Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.
-
Boolean
-
-
-
PROGRAM_GUID
-
Unique ID for an application.
-
String
-
-
-
PROGRAM_NAME
-
Name of the application that you are fixing.
-
String
-
-
-
-
-
-
-## Available Operators
-
-
-The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
-
-
-
-
-
-
-
-
-
-
-
Symbol
-
Description
-
Data type
-
Precedence
-
-
-
-
-
>
-
Greater than
-
Integer or string
-
1
-
-
-
>=
-
Greater than or equal to
-
Integer or string
-
1
-
-
-
<
-
Less than
-
Integer or string
-
1
-
-
-
<=
-
Less than or equal to
-
Integer or string
-
1
-
-
-
<>
-
Not equal to
-
Integer or string
-
1
-
-
-
=
-
Equal to
-
Integer, string, or Boolean
-
1
-
-
-
HAS
-
A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.
Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.
-
-
-
-
-
Right-hand operand. String
-
1
-
-
-
OR
-
Logical OR operator
-
Boolean
-
2
-
-
-
AND
-
Logical AND operator
-
Boolean
-
2
-
-
-
-
-
-
-## Related topics
-[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-
-
-
-
-
-
-
-
-
+---
+title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
+ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Available Data Types and Operators in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
+
+## Available Data Types
+
+
+Customized-compatibility databases in Compatibility Administrator contain the following data types.
+
+- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
+
+- **String**. A series of alphanumeric characters manipulated as a group.
+
+- **Boolean**. A value of True or False.
+
+## Available Attributes
+
+
+The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
+
+
+
+
+
+
+
+
+
+
Attribute
+
Description
+
Data type
+
+
+
+
+
APP_NAME
+
Name of the application.
+
String
+
+
+
DATABASE_GUID
+
Unique ID for your compatibility database.
+
String
+
+
+
DATABASE_INSTALLED
+
Specifies if you have installed the database.
+
Boolean
+
+
+
DATABASE_NAME
+
Descriptive name of your database.
+
String
+
+
+
DATABASE_PATH
+
Location of the database on your computer.
+
String
+
+
+
FIX_COUNT
+
Number of compatibility fixes applied to a specific application.
+
Integer
+
+
+
FIX_NAME
+
Name of your compatibility fix.
+
String
+
+
+
MATCH_COUNT
+
Number of matching files for a specific, fixed application.
+
Integer
+
+
+
MATCHFILE_NAME
+
Name of a matching file used to identify a specific, fixed application.
+
String
+
+
+
MODE_COUNT
+
Number of compatibility modes applied to a specific, fixed application.
+
Integer
+
+
+
MODE_NAME
+
Name of your compatibility mode.
+
String
+
+
+
PROGRAM_APPHELPTYPE
+
Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.
+
Integer
+
+
+
PROGRAM_DISABLED
+
Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.
+
Boolean
+
+
+
PROGRAM_GUID
+
Unique ID for an application.
+
String
+
+
+
PROGRAM_NAME
+
Name of the application that you are fixing.
+
String
+
+
+
+
+
+
+## Available Operators
+
+
+The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
+
+
+
+
+
+
+
+
+
+
+
Symbol
+
Description
+
Data type
+
Precedence
+
+
+
+
+
>
+
Greater than
+
Integer or string
+
1
+
+
+
>=
+
Greater than or equal to
+
Integer or string
+
1
+
+
+
<
+
Less than
+
Integer or string
+
1
+
+
+
<=
+
Less than or equal to
+
Integer or string
+
1
+
+
+
<>
+
Not equal to
+
Integer or string
+
1
+
+
+
=
+
Equal to
+
Integer, string, or Boolean
+
1
+
+
+
HAS
+
A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.
Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.
+
+
+
+
+
Right-hand operand. String
+
1
+
+
+
OR
+
Logical OR operator
+
Boolean
+
2
+
+
+
AND
+
Logical AND operator
+
Boolean
+
2
+
+
+
+
+
+
+## Related topics
+[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
index 41c34aec02..36a7463bcc 100644
--- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
+++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
@@ -1,6 +1,6 @@
---
title: Best practice recommendations for Windows To Go (Windows 10)
-description: Best practice recommendations for Windows To Go
+description: Learn about best practice recommendations for using Windows To Go, like using a USB 3.0 port with Windows to Go if it's available.
ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 8724e8278a..13c1aa16fd 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -1,6 +1,6 @@
---
title: Deployment considerations for Windows To Go (Windows 10)
-description: Deployment considerations for Windows To Go
+description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go.
ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md
index a59b98bcff..0f635b9f80 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/deployment/planning/features-lifecycle.md
@@ -1,6 +1,6 @@
---
title: Windows 10 features lifecycle
-description: Learn about the lifecycle of Windows 10 features
+description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
index 98986e0bfd..ea3a21ed29 100644
--- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
+++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
@@ -1,76 +1,77 @@
----
-title: Fixing Applications by Using the SUA Tool (Windows 10)
-description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
-ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Fixing Applications by Using the SUA Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
-
-**To fix an application by using the SUA tool**
-
-1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
-
-2. After you finish testing, open the SUA tool.
-
-3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands.
-
-
-
-
-
-
-
-
-
Mitigation menu command
-
Description
-
-
-
-
-
Apply Mitigations
-
Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application.
-
-
-
Undo Mitigations
-
Removes the application fixes that you just applied.
-
This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel.
-
-
-
Export Mitigations as Windows Installer file
-
Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Fixing Applications by Using the SUA Tool (Windows 10)
+description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
+ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Fixing Applications by Using the SUA Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
+
+**To fix an application by using the SUA tool**
+
+1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2. After you finish testing, open the SUA tool.
+
+3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands.
+
+
+
+
+
+
+
+
+
Mitigation menu command
+
Description
+
+
+
+
+
Apply Mitigations
+
Opens the Mitigate AppCompat Issues dialog box, in which you can select the fixes that you intend to apply to the application.
+
+
+
Undo Mitigations
+
Removes the application fixes that you just applied.
+
This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using Programs and Features in Control Panel.
+
+
+
Export Mitigations as Windows Installer file
+
Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
index 08db3b24d6..d4b510cd08 100644
--- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
+++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
@@ -1,80 +1,81 @@
----
-title: Showing Messages Generated by the SUA Tool (Windows 10)
-description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
-ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Showing Messages Generated by the SUA Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
-
-**To show the messages that the SUA tool has generated**
-
-1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
-
-2. After you finish testing, in the SUA tool, click the **App Info** tab.
-
-3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands.
-
-
-
-
-
-
-
-
-
View menu command
-
Description
-
-
-
-
-
Error Messages
-
When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.
-
This command is selected by default.
-
-
-
Warning Messages
-
When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.
-
-
-
Information Messages
-
When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.
-
-
-
Detailed Information
-
When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Showing Messages Generated by the SUA Tool (Windows 10)
+description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
+ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Showing Messages Generated by the SUA Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
+
+**To show the messages that the SUA tool has generated**
+
+1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2. After you finish testing, in the SUA tool, click the **App Info** tab.
+
+3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands.
+
+
+
+
+
+
+
+
+
View menu command
+
Description
+
+
+
+
+
Error Messages
+
When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.
+
This command is selected by default.
+
+
+
Warning Messages
+
When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.
+
+
+
Information Messages
+
When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.
+
+
+
Detailed Information
+
When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
index d58bf1d2ce..d3c279c3eb 100644
--- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
+++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
@@ -1,105 +1,106 @@
----
-title: Tabs on the SUA Tool Interface (Windows 10)
-description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
-ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Tabs on the SUA Tool Interface
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
-
-The following table provides a description of each tab on the user interface for the SUA tool.
-
-
-
-
-
-
-
-
-
Tab name
-
Description
-
-
-
-
-
App Info
-
Provides the following information for the selected application:
-
-
Debugging information
-
Error, warning, and informational messages (if they are enabled)
-
Options for running the application
-
-
-
-
File
-
Provides information about access to the file system.
-
For example, this tab might show an attempt to write to a file that only administrators can typically access.
-
-
-
Registry
-
Provides information about access to the system registry.
-
For example, this tab might show an attempt to write to a registry key that only administrators can typically access.
-
-
-
INI
-
Provides information about WriteProfile API issues.
-
For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.
-
-
-
Token
-
Provides information about access-token checking.
-
For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.
-
-
-
Privilege
-
Provides information about permissions.
-
For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.
-
-
-
Name Space
-
Provides information about creation of system objects.
-
For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.
-
-
-
Other Objects
-
Provides information related to applications accessing objects other than files and registry keys.
-
-
-
Process
-
Provides information about process elevation.
-
For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Tabs on the SUA Tool Interface (Windows 10)
+description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
+ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Tabs on the SUA Tool Interface
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
+
+The following table provides a description of each tab on the user interface for the SUA tool.
+
+
+
+
+
+
+
+
+
Tab name
+
Description
+
+
+
+
+
App Info
+
Provides the following information for the selected application:
+
+
Debugging information
+
Error, warning, and informational messages (if they are enabled)
+
Options for running the application
+
+
+
+
File
+
Provides information about access to the file system.
+
For example, this tab might show an attempt to write to a file that only administrators can typically access.
+
+
+
Registry
+
Provides information about access to the system registry.
+
For example, this tab might show an attempt to write to a registry key that only administrators can typically access.
+
+
+
INI
+
Provides information about WriteProfile API issues.
+
For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from Standard to Scientific, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.
+
+
+
Token
+
Provides information about access-token checking.
+
For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.
+
+
+
Privilege
+
Provides information about permissions.
+
For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.
+
+
+
Name Space
+
Provides information about creation of system objects.
+
For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.
+
+
+
Other Objects
+
Provides information related to applications accessing objects other than files and registry keys.
+
+
+
Process
+
Provides information about process elevation.
+
For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
index b38891eae2..cb84beaa58 100644
--- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md
+++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
@@ -1,94 +1,95 @@
----
-title: Using the Compatibility Administrator Tool (Windows 10)
-description: This section provides information about using the Compatibility Administrator tool.
-ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Using the Compatibility Administrator Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about using the Compatibility Administrator tool.
-
-## In this section
-
-
-
With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.
The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.
Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Using the Compatibility Administrator Tool (Windows 10)
+description: This section provides information about using the Compatibility Administrator tool.
+ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Using the Compatibility Administrator Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+This section provides information about using the Compatibility Administrator tool.
+
+## In this section
+
+
+
With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.
The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.
Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 464e7e03de..965ad4dad7 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -1,60 +1,61 @@
----
-title: Windows 10 compatibility (Windows 10)
-description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
-ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade, update, appcompat
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 compatibility
-
-
-**Applies to**
-
-- Windows 10
-
-Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
-
-For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
-
-Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
-
-Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
-
-For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031)
-
-## Recommended application testing process
-
-
-Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level:
-
-- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
-
-- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
-
-## Related topics
-
-
-[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
-
-[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
-
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows 10 compatibility (Windows 10)
+description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, upgrade, update, appcompat
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 compatibility
+
+
+**Applies to**
+
+- Windows 10
+
+Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+
+For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
+
+Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
+
+Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
+
+For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031)
+
+## Recommended application testing process
+
+
+Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level:
+
+- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
+
+- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
+
+## Related topics
+
+
+[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
+
+[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 764b8d1ca5..546b8de3af 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -6,14 +6,12 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
-audience: itpro
author: greg-lindsay
ms.date: 08/18/2017
ms.reviewer:
manager: laurawi
ms.author: greglin
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index b79a9e0b9d..7085ba9fb5 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -1,6 +1,6 @@
---
title: Windows 10 - Features that have been removed
-description: Learn about features and functionality that has been removed or replaced in Windows 10
+description: In this article, learn about the features and functionality that have been removed or replaced in Windows 10.
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
@@ -27,6 +27,8 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Removed in version |
| ----------- | --------------------- | ------ |
+| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
+| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |
| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 |
| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 |
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index bd9b8af4d0..37b3315a1d 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -11,8 +11,8 @@ ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
+ms.author: greglin
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 3534c08c5c..97f6eb21e1 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -7,9 +7,7 @@ ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
ms.audience: itpro
-author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index 99bb88d5a4..fc8013e00c 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -4,7 +4,6 @@ description: This topic lists new and updated topics in the Update Windows 10 do
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-itproauthor: jaimeo
author: jaimeo
ms.author: jaimeo
ms.reviewer:
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index af6fe156e8..77795ce1c4 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -10,7 +10,6 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md
index 5c72afc8c0..a23c157317 100644
--- a/windows/deployment/update/feature-update-conclusion.md
+++ b/windows/deployment/update/feature-update-conclusion.md
@@ -1,6 +1,6 @@
---
title: Best practices for feature updates - conclusion
-description: Final thoughts about how to deploy feature updates
+description: This article includes final thoughts about how to deploy and stay up-to-date with Windows 10 feature updates.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index da74aafced..2df56fa684 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -1,10 +1,9 @@
---
title: Best practices - deploy feature updates during maintenance windows
-description: Learn how to deploy feature updates during a maintenance window
+description: Learn how to configure maintenance windows and how to deploy feature updates during a maintenance window.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index 760c0f0182..69b91b9184 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -1,6 +1,6 @@
---
title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices
-description: Learn how to deploy feature updates to your mission-critical devices
+description: Learn how to use the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index e22be01edd..254703b4dc 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -1,6 +1,6 @@
---
title: Best practices - deploy feature updates for user-initiated installations
-description: Learn how to manually deploy feature updates
+description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/images/UC_workspace_safeguard_queries.png b/windows/deployment/update/images/UC_workspace_safeguard_queries.png
new file mode 100644
index 0000000000..36bb54260b
Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_safeguard_queries.png differ
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index adb1e56155..232fb2748c 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -1,6 +1,6 @@
---
title: Olympia Corp enrollment guidelines
-description: Olympia Corp enrollment guidelines
+description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows 10 device or an Azure Active Directory-JOINED Windows 10 device.
ms.author: jaimeo
ms.topic: article
ms.prod: w10
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
new file mode 100644
index 0000000000..607c9114e4
--- /dev/null
+++ b/windows/deployment/update/optional-content.md
@@ -0,0 +1,859 @@
+---
+title: Migrating and acquiring optional Windows content
+description: Keep language resources and Features on Demand during operating system updates
+ms.prod: w10
+ms.mktglfcycl: manage
+audience: itpro
+itproauthor: jaimeo
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+manager: laurawi
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Migrating and acquiring optional Windows content during updates
+
+This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
+
+When you update the operating system, it’s critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows 10 setup using a local Windows image or WIM file (a “media-based” or “task-sequence-based” update). Others do in-place updates using an approved Windows 10 feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a "servicing-based” update).
+
+Neither approach contains the full set of Windows optional features that a user’s device might need, so those features are not migrated to the new operating system. Further, those features are not available in Configuration Manager or WSUS for on-premises acquisition after a feature update
+
+## What is optional content?
+
+Optional content includes the following items:
+
+- General Features on Demand also referred to as FODs (for example, Windows Mixed Reality)
+- Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0)
+- Local Experience Packs
+
+Optional content isn’t included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it’s released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This provides more space for user’s data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
+
+## Why is acquiring optional content challenging?
+
+The challenges surrounding optional content typically fall into two groups:
+
+### Incomplete operating system updates
+
+The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating is written to the user’s disk alongside the old version. This is a temporary folder, where a second clean operating system is installed and prepared for the user to "move into." When this happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
+
+Windows Setup needs access to the optional content to do this. Since optional content is not in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can’t be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to "failure to migrate optional content during update." For media-based updates, Windows will automatically try again once the new operating system boots. We call this “latent acquisition.”
+
+### User-initiated feature acquisition failure
+
+The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows 10, either by using a clean installation or an in-place update. The user visits Settings, and attempts to install a second language, additional language experience features, or other optional content. Again, since these features are not in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can’t be found, users are frustrated and another help desk call could result. This pain point is sometimes referred to as "failure to acquire optional content.”
+
+## Options for acquiring optional content
+
+Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you are currently deploying Windows 10. In this table,
+
+- Migration means it supports optional content migration during an update.
+- Acquisition means it supports optional content acquisition (that is, initiated by the user).
+- Media means it's applicable with media-based deployments.
+- Servicing means applicable with servicing-based deployments.
+
+
+|Method |Migration |Acquisition |Media | Servicing |
+|---------|---------|---------|---------|--------------|
+|Option 1: Use Windows Update | Yes | Yes | No | Yes |
+|Option 2: Enable Dynamic Update | Yes | No | Yes |Yes |
+|Option 3: Customize the Windows image before deployment | Yes | No | Yes |No |
+|Option 4: Install language features during deployment | Partial | No | Yes | No |
+|Option 5: Install optional content after deployment | Yes | No |Yes | Yes |
+|Option 6: Configure alternative source for Features on Demand | No | Partial | Yes | Yes |
+
+
+
+### Option 1: Use Windows Update
+
+Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios "just work" when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
+
+Starting with Windows 10, version 1709, we introduced the [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/). The Unified Update Platform is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is "unified" because it brings together the update stack for Windows 10, Windows Server, and other products, such as HoloLens. The Unified Update Platform is not currently integrated with WSUS.
+
+You should consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes also known as Express Updates. Further, devices that use devices are immune to the challenge of upgrading a Windows 10 device where the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. See [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) for more details, as well as our [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) on this topic.
+
+### Option 2: Enable Dynamic Update
+
+If you’re not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows 10 feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows 10 Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following:
+
+- Setup updates: Fixes to Setup.exe binaries or any files that Setup uses for feature updates.
+- Safe OS updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE).
+- Servicing stack updates: Fixes that are necessary to address the Windows 10 servicing stack issue and thus required to complete the feature update.
+- Latest cumulative update: Installs the latest cumulative quality update.
+- Driver updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
+
+In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows 10 Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this with setupconfig.ini. See [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+
+Starting in Windows 10, version 2004, Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will go through an additional reboot for the latest cumulative update since it was not available during the feature update.
+
+One additional consideration when using Dynamic Update is the impact to your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Windows 10, version 2004 setup now downloads Dynamic Update content using Delivery Optimization when available.
+ For devices that aren’t connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
+
+### Option 3: Customize the Windows Image before deployment
+
+ For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don’t have internet connectivity, or the connectivity is poor and so they can’t enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This is sometimes referred to as customizing the installation media.
+
+You can customize the Windows image in these ways:
+
+- Applying a cumulative (quality) update
+- Applying updates to the servicing stack
+- Applying updates to Setup.exe binaries or other files that Setup uses for feature updates
+- Applying updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
+- Adding or removing languages
+- Adding or removing Features on Demand
+
+The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where Setup.exe is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and our [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Option 2, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there is a variation of this option in which media is updated *on the device* just before installation. This allows for device-specific image customization based on what's currently installed.
+
+
+### Option 4: Install language features during deployment
+
+A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows 10 Setup option [/InstallLangPacks](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+
+When Setup runs, it will inject these packages into the new operating system during installation. This means it can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, as well as the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn’t a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don’t migrate FOD and languages (unless Dynamic Update is enabled).
+
+This approach has some interesting benefits. The original Windows image doesn’t need to be modified, possibly saving time and scripting. For some commercial customers, this is implemented as their primary pain point has to do with language support immediately after the update.
+
+### Option 5: Install optional content after deployment
+
+This option is like Option 3 in that you customize the operating system image with additional optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality.
+
+### Option 6: Configure an alternative source for optional content
+
+Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the Specify settings for optional component installation and component repair Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of additional content to be hosted within your network (additional to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy:
+
+- The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon.
+- This setting does not support installing language packs from Alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
+- If this setting is not configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS).
+
+See [Configure a Windows Repair Source](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-windows-repair-source) for more information.
+
+
+## Learn more
+
+For more information about the Unified Update Platform and the approaches outlined in this article, see the following resources:
+
+- [/InstallLangPacks](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks)
+- [/DynamicUpdate](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
+- [Configure a Windows Repair Source](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
+- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
+- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
+- [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
+- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
+- [Updating Windows 10 media with Dynamic Update packages](media-dynamic-update.md)
+- [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
+
+
+## Sample scripts
+
+Options 3 and 5 involve the most scripting. Sample scripts for Option 3 already exist, so we’ll look at sample scripts for [Option 5](#option-5-install-optional-content-after-deployment): Install Optional Content after Deployment.
+
+### Creating an optional content repository
+
+To get started, we’ll build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We’ll configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
+
+
+
+```powershell
+# Declare media for FOD and LPs
+$LP_ISO_PATH = "C:\_IMAGE\2004_ISO\CLIENTLANGPACKDVD_OEM_MULTI.iso"
+$FOD_ISO_PATH = "C:\_IMAGE\2004_ISO\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
+
+# Declare folders
+$WORKING_PATH = "C:\_IMAGE\BuildRepo"
+$MEDIA_PATH = "C:\_IMAGE\2004_SETUP"
+
+$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
+$REPO_PATH = $WORKING_PATH + "\Repo"
+
+# Create folders for mounting image optional content repository
+if (Test-Path $MAIN_OS_MOUNT) {
+ Remove-Item -Path $MAIN_OS_MOUNT -Force -Recurse -ErrorAction stop| Out-Null
+}
+
+if (Test-Path $REPO_PATH) {
+ Remove-Item -Path $REPO_PATH -Force -Recurse -ErrorAction stop| Out-Null
+}
+
+New-Item -ItemType Directory -Force -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
+New-Item -ItemType Directory -Force -Path $REPO_PATH -ErrorAction stop| Out-Null
+
+# Mount the main OS, I'll use this throughout the script
+Write-Host "Mounting main OS"
+Mount-WindowsImage -ImagePath $MEDIA_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
+
+# Mount the LP ISO
+Write-Host "Mounting LP ISO"
+$LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
+
+# Declare language related cabs
+$OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "*.cab"
+
+# Mount the FOD ISO
+Write-Host "Mounting FOD ISO"
+$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
+$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
+
+# Export the FODs from the ISO that we are interested in
+Write-Host "Exporting FODs to Repo"
+DISM /image:$MAIN_OS_MOUNT /export-source /source:$FOD_PATH /target:$REPO_PATH `
+ /capabilityname:Accessibility.Braille~~~~0.0.1.0 `
+ /capabilityname:App.StepsRecorder~~~~0.0.1.0 `
+ /capabilityname:App.WirelessDisplay.Connect~~~~0.0.1.0 `
+ /capabilityname:Browser.InternetExplorer~~~~0.0.11.0 `
+ /capabilityname:DirectX.Configuration.Database~~~~0.0.1.0 `
+ /capabilityname:Language.Basic~~~af-za~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ar-sa~0.0.1.0 `
+ /capabilityname:Language.Basic~~~as-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~az-latn-az~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ba-ru~0.0.1.0 `
+ /capabilityname:Language.Basic~~~be-by~0.0.1.0 `
+ /capabilityname:Language.Basic~~~bg-bg~0.0.1.0 `
+ /capabilityname:Language.Basic~~~bn-bd~0.0.1.0 `
+ /capabilityname:Language.Basic~~~bn-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~bs-latn-ba~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ca-es~0.0.1.0 `
+ /capabilityname:Language.Basic~~~cs-cz~0.0.1.0 `
+ /capabilityname:Language.Basic~~~cy-gb~0.0.1.0 `
+ /capabilityname:Language.Basic~~~da-dk~0.0.1.0 `
+ /capabilityname:Language.Basic~~~de-ch~0.0.1.0 `
+ /capabilityname:Language.Basic~~~de-de~0.0.1.0 `
+ /capabilityname:Language.Basic~~~el-gr~0.0.1.0 `
+ /capabilityname:Language.Basic~~~en-au~0.0.1.0 `
+ /capabilityname:Language.Basic~~~en-ca~0.0.1.0 `
+ /capabilityname:Language.Basic~~~en-gb~0.0.1.0 `
+ /capabilityname:Language.Basic~~~en-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~en-us~0.0.1.0 `
+ /capabilityname:Language.Basic~~~es-es~0.0.1.0 `
+ /capabilityname:Language.Basic~~~es-mx~0.0.1.0 `
+ /capabilityname:Language.Basic~~~es-us~0.0.1.0 `
+ /capabilityname:Language.Basic~~~et-ee~0.0.1.0 `
+ /capabilityname:Language.Basic~~~eu-es~0.0.1.0 `
+ /capabilityname:Language.Basic~~~fa-ir~0.0.1.0 `
+ /capabilityname:Language.Basic~~~fi-fi~0.0.1.0 `
+ /capabilityname:Language.Basic~~~fil-ph~0.0.1.0 `
+ /capabilityname:Language.Basic~~~fr-be~0.0.1.0 `
+ /capabilityname:Language.Basic~~~fr-ca~0.0.1.0 `
+ /capabilityname:Language.Basic~~~fr-ch~0.0.1.0 `
+ /capabilityname:Language.Basic~~~fr-fr~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ga-ie~0.0.1.0 `
+ /capabilityname:Language.Basic~~~gd-gb~0.0.1.0 `
+ /capabilityname:Language.Basic~~~gl-es~0.0.1.0 `
+ /capabilityname:Language.Basic~~~gu-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ha-latn-ng~0.0.1.0 `
+ /capabilityname:Language.Basic~~~haw-us~0.0.1.0 `
+ /capabilityname:Language.Basic~~~he-il~0.0.1.0 `
+ /capabilityname:Language.Basic~~~hi-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~hr-hr~0.0.1.0 `
+ /capabilityname:Language.Basic~~~hu-hu~0.0.1.0 `
+ /capabilityname:Language.Basic~~~hy-am~0.0.1.0 `
+ /capabilityname:Language.Basic~~~id-id~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ig-ng~0.0.1.0 `
+ /capabilityname:Language.Basic~~~is-is~0.0.1.0 `
+ /capabilityname:Language.Basic~~~it-it~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ja-jp~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ka-ge~0.0.1.0 `
+ /capabilityname:Language.Basic~~~kk-kz~0.0.1.0 `
+ /capabilityname:Language.Basic~~~kl-gl~0.0.1.0 `
+ /capabilityname:Language.Basic~~~kn-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~kok-deva-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ko-kr~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ky-kg~0.0.1.0 `
+ /capabilityname:Language.Basic~~~lb-lu~0.0.1.0 `
+ /capabilityname:Language.Basic~~~lt-lt~0.0.1.0 `
+ /capabilityname:Language.Basic~~~lv-lv~0.0.1.0 `
+ /capabilityname:Language.Basic~~~mi-nz~0.0.1.0 `
+ /capabilityname:Language.Basic~~~mk-mk~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ml-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~mn-mn~0.0.1.0 `
+ /capabilityname:Language.Basic~~~mr-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ms-bn~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ms-my~0.0.1.0 `
+ /capabilityname:Language.Basic~~~mt-mt~0.0.1.0 `
+ /capabilityname:Language.Basic~~~nb-no~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ne-np~0.0.1.0 `
+ /capabilityname:Language.Basic~~~nl-nl~0.0.1.0 `
+ /capabilityname:Language.Basic~~~nn-no~0.0.1.0 `
+ /capabilityname:Language.Basic~~~nso-za~0.0.1.0 `
+ /capabilityname:Language.Basic~~~or-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~pa-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~pl-pl~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ps-af~0.0.1.0 `
+ /capabilityname:Language.Basic~~~pt-br~0.0.1.0 `
+ /capabilityname:Language.Basic~~~pt-pt~0.0.1.0 `
+ /capabilityname:Language.Basic~~~rm-ch~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ro-ro~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ru-ru~0.0.1.0 `
+ /capabilityname:Language.Basic~~~rw-rw~0.0.1.0 `
+ /capabilityname:Language.Basic~~~sah-ru~0.0.1.0 `
+ /capabilityname:Language.Basic~~~si-lk~0.0.1.0 `
+ /capabilityname:Language.Basic~~~sk-sk~0.0.1.0 `
+ /capabilityname:Language.Basic~~~sl-si~0.0.1.0 `
+ /capabilityname:Language.Basic~~~sq-al~0.0.1.0 `
+ /capabilityname:Language.Basic~~~sr-cyrl-rs~0.0.1.0 `
+ /capabilityname:Language.Basic~~~sr-latn-rs~0.0.1.0 `
+ /capabilityname:Language.Basic~~~sv-se~0.0.1.0 `
+ /capabilityname:Language.Basic~~~sw-ke~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ta-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~te-in~0.0.1.0 `
+ /capabilityname:Language.Basic~~~tg-cyrl-tj~0.0.1.0 `
+ /capabilityname:Language.Basic~~~th-th~0.0.1.0 `
+ /capabilityname:Language.Basic~~~tk-tm~0.0.1.0 `
+ /capabilityname:Language.Basic~~~tn-za~0.0.1.0 `
+ /capabilityname:Language.Basic~~~tr-tr~0.0.1.0 `
+ /capabilityname:Language.Basic~~~tt-ru~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ug-cn~0.0.1.0 `
+ /capabilityname:Language.Basic~~~uk-ua~0.0.1.0 `
+ /capabilityname:Language.Basic~~~ur-pk~0.0.1.0 `
+ /capabilityname:Language.Basic~~~uz-latn-uz~0.0.1.0 `
+ /capabilityname:Language.Basic~~~vi-vn~0.0.1.0 `
+ /capabilityname:Language.Basic~~~wo-sn~0.0.1.0 `
+ /capabilityname:Language.Basic~~~xh-za~0.0.1.0 `
+ /capabilityname:Language.Basic~~~yo-ng~0.0.1.0 `
+ /capabilityname:Language.Basic~~~zh-cn~0.0.1.0 `
+ /capabilityname:Language.Basic~~~zh-hk~0.0.1.0 `
+ /capabilityname:Language.Basic~~~zh-tw~0.0.1.0 `
+ /capabilityname:Language.Basic~~~zu-za~0.0.1.0 `
+ /capabilityname:Language.Fonts.Arab~~~und-Arab~0.0.1.0 `
+ /capabilityname:Language.Fonts.Beng~~~und-Beng~0.0.1.0 `
+ /capabilityname:Language.Fonts.Cans~~~und-Cans~0.0.1.0 `
+ /capabilityname:Language.Fonts.Cher~~~und-Cher~0.0.1.0 `
+ /capabilityname:Language.Fonts.Deva~~~und-Deva~0.0.1.0 `
+ /capabilityname:Language.Fonts.Ethi~~~und-Ethi~0.0.1.0 `
+ /capabilityname:Language.Fonts.Gujr~~~und-Gujr~0.0.1.0 `
+ /capabilityname:Language.Fonts.Guru~~~und-Guru~0.0.1.0 `
+ /capabilityname:Language.Fonts.Hans~~~und-Hans~0.0.1.0 `
+ /capabilityname:Language.Fonts.Hant~~~und-Hant~0.0.1.0 `
+ /capabilityname:Language.Fonts.Hebr~~~und-Hebr~0.0.1.0 `
+ /capabilityname:Language.Fonts.Jpan~~~und-Jpan~0.0.1.0 `
+ /capabilityname:Language.Fonts.Khmr~~~und-Khmr~0.0.1.0 `
+ /capabilityname:Language.Fonts.Knda~~~und-Knda~0.0.1.0 `
+ /capabilityname:Language.Fonts.Kore~~~und-Kore~0.0.1.0 `
+ /capabilityname:Language.Fonts.Laoo~~~und-Laoo~0.0.1.0 `
+ /capabilityname:Language.Fonts.Mlym~~~und-Mlym~0.0.1.0 `
+ /capabilityname:Language.Fonts.Orya~~~und-Orya~0.0.1.0 `
+ /capabilityname:Language.Fonts.PanEuropeanSupplementalFonts~~~0.0.1.0 `
+ /capabilityname:Language.Fonts.Sinh~~~und-Sinh~0.0.1.0 `
+ /capabilityname:Language.Fonts.Syrc~~~und-Syrc~0.0.1.0 `
+ /capabilityname:Language.Fonts.Taml~~~und-Taml~0.0.1.0 `
+ /capabilityname:Language.Fonts.Telu~~~und-Telu~0.0.1.0 `
+ /capabilityname:Language.Fonts.Thai~~~und-Thai~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~af-za~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~bs-latn-ba~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~ca-es~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~cs-cz~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~cy-gb~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~da-dk~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~de-de~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~el-gr~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~en-gb~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~en-us~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~es-es~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~es-mx~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~eu-es~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~fi-fi~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~fr-fr~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~ga-ie~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~gd-gb~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~gl-es~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~hi-in~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~hr-hr~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~id-id~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~it-it~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~ja-jp~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~ko-kr~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~lb-lu~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~mi-nz~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~ms-bn~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~ms-my~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~nb-no~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~nl-nl~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~nn-no~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~nso-za~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~pl-pl~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~pt-br~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~pt-pt~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~rm-ch~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~ro-ro~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~ru-ru~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~rw-rw~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~sk-sk~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~sl-si~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~sq-al~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~sr-cyrl-rs~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~sr-latn-rs~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~sv-se~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~sw-ke~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~tn-za~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~tr-tr~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~wo-sn~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~xh-za~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~zh-cn~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~zh-hk~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~zh-tw~0.0.1.0 `
+ /capabilityname:Language.Handwriting~~~zu-za~0.0.1.0 `
+ /capabilityname:Language.LocaleData~~~zh-tw~0.0.1.0 `
+ /capabilityname:Language.OCR~~~ar-sa~0.0.1.0 `
+ /capabilityname:Language.OCR~~~bg-bg~0.0.1.0 `
+ /capabilityname:Language.OCR~~~bs-latn-ba~0.0.1.0 `
+ /capabilityname:Language.OCR~~~cs-cz~0.0.1.0 `
+ /capabilityname:Language.OCR~~~da-dk~0.0.1.0 `
+ /capabilityname:Language.OCR~~~de-de~0.0.1.0 `
+ /capabilityname:Language.OCR~~~el-gr~0.0.1.0 `
+ /capabilityname:Language.OCR~~~en-gb~0.0.1.0 `
+ /capabilityname:Language.OCR~~~en-us~0.0.1.0 `
+ /capabilityname:Language.OCR~~~es-es~0.0.1.0 `
+ /capabilityname:Language.OCR~~~es-mx~0.0.1.0 `
+ /capabilityname:Language.OCR~~~fi-fi~0.0.1.0 `
+ /capabilityname:Language.OCR~~~fr-ca~0.0.1.0 `
+ /capabilityname:Language.OCR~~~fr-fr~0.0.1.0 `
+ /capabilityname:Language.OCR~~~hr-hr~0.0.1.0 `
+ /capabilityname:Language.OCR~~~hu-hu~0.0.1.0 `
+ /capabilityname:Language.OCR~~~it-it~0.0.1.0 `
+ /capabilityname:Language.OCR~~~ja-jp~0.0.1.0 `
+ /capabilityname:Language.OCR~~~ko-kr~0.0.1.0 `
+ /capabilityname:Language.OCR~~~nb-no~0.0.1.0 `
+ /capabilityname:Language.OCR~~~nl-nl~0.0.1.0 `
+ /capabilityname:Language.OCR~~~pl-pl~0.0.1.0 `
+ /capabilityname:Language.OCR~~~pt-br~0.0.1.0 `
+ /capabilityname:Language.OCR~~~pt-pt~0.0.1.0 `
+ /capabilityname:Language.OCR~~~ro-ro~0.0.1.0 `
+ /capabilityname:Language.OCR~~~ru-ru~0.0.1.0 `
+ /capabilityname:Language.OCR~~~sk-sk~0.0.1.0 `
+ /capabilityname:Language.OCR~~~sl-si~0.0.1.0 `
+ /capabilityname:Language.OCR~~~sr-cyrl-rs~0.0.1.0 `
+ /capabilityname:Language.OCR~~~sr-latn-rs~0.0.1.0 `
+ /capabilityname:Language.OCR~~~sv-se~0.0.1.0 `
+ /capabilityname:Language.OCR~~~tr-tr~0.0.1.0 `
+ /capabilityname:Language.OCR~~~zh-cn~0.0.1.0 `
+ /capabilityname:Language.OCR~~~zh-hk~0.0.1.0 `
+ /capabilityname:Language.OCR~~~zh-tw~0.0.1.0 `
+ /capabilityname:Language.Speech~~~da-dk~0.0.1.0 `
+ /capabilityname:Language.Speech~~~de-de~0.0.1.0 `
+ /capabilityname:Language.Speech~~~en-au~0.0.1.0 `
+ /capabilityname:Language.Speech~~~en-ca~0.0.1.0 `
+ /capabilityname:Language.Speech~~~en-gb~0.0.1.0 `
+ /capabilityname:Language.Speech~~~en-in~0.0.1.0 `
+ /capabilityname:Language.Speech~~~en-us~0.0.1.0 `
+ /capabilityname:Language.Speech~~~es-es~0.0.1.0 `
+ /capabilityname:Language.Speech~~~es-mx~0.0.1.0 `
+ /capabilityname:Language.Speech~~~fr-ca~0.0.1.0 `
+ /capabilityname:Language.Speech~~~fr-fr~0.0.1.0 `
+ /capabilityname:Language.Speech~~~it-it~0.0.1.0 `
+ /capabilityname:Language.Speech~~~ja-jp~0.0.1.0 `
+ /capabilityname:Language.Speech~~~pt-br~0.0.1.0 `
+ /capabilityname:Language.Speech~~~zh-cn~0.0.1.0 `
+ /capabilityname:Language.Speech~~~zh-hk~0.0.1.0 `
+ /capabilityname:Language.Speech~~~zh-tw~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~ar-eg~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~ar-sa~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~bg-bg~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~ca-es~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~cs-cz~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~da-dk~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~de-at~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~de-ch~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~de-de~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~el-gr~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~en-au~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~en-ca~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~en-gb~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~en-ie~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~en-in~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~en-us~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~es-es~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~es-mx~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~fi-fi~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~fr-ca~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~fr-ch~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~fr-fr~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~he-il~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~hi-in~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~hr-hr~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~hu-hu~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~id-id~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~it-it~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~ja-jp~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~ko-kr~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~ms-my~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~nb-no~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~nl-be~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~nl-nl~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~pl-pl~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~pt-br~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~pt-pt~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~ro-ro~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~ru-ru~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~sk-sk~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~sl-si~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~sv-se~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~ta-in~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~th-th~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~tr-tr~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~vi-vn~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~zh-cn~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~zh-hk~0.0.1.0 `
+ /capabilityname:Language.TextToSpeech~~~zh-tw~0.0.1.0 `
+ /capabilityname:MathRecognizer~~~~0.0.1.0 `
+ /capabilityname:Microsoft.Onecore.StorageManagement~~~~0.0.1.0 `
+ /capabilityname:Microsoft.WebDriver~~~~0.0.1.0 `
+ /capabilityname:Microsoft.Windows.MSPaint~~~~0.0.1.0 `
+ /capabilityname:Microsoft.Windows.Notepad~~~~0.0.1.0 `
+ /capabilityname:Microsoft.Windows.PowerShell.ISE~~~~0.0.1.0 `
+ /capabilityname:Microsoft.Windows.StorageManagement~~~~0.0.1.0 `
+ /capabilityname:Microsoft.Windows.WordPad~~~~0.0.1.0 `
+ /capabilityname:Msix.PackagingTool.Driver~~~~0.0.1.0 `
+ /capabilityname:NetFX3~~ `
+ /capabilityname:Network.Irda~~~~0.0.1.0 `
+ /capabilityname:OneCoreUAP.OneSync~~~~0.0.1.0 `
+ /capabilityname:OpenSSH.Client~~~~0.0.1.0 `
+ /capabilityname:OpenSSH.Server~~~~0.0.1.0 `
+ /capabilityname:Print.EnterpriseCloudPrint~~~~0.0.1.0 `
+ /capabilityname:Print.Fax.Scan~~~~0.0.1.0 `
+ /capabilityname:Print.Management.Console~~~~0.0.1.0 `
+ /capabilityname:Print.MopriaCloudService~~~~0.0.1.0 `
+ /capabilityname:RasCMAK.Client~~~~0.0.1.0 `
+ /capabilityname:RIP.Listener~~~~0.0.1.0 `
+ /capabilityname:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.CertificateServices.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.DHCP.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.Dns.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.FailoverCluster.Management.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.FileServices.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.IPAM.Client.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.LLDP.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.NetworkController.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.NetworkLoadBalancing.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.RemoteAccess.Management.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.RemoteDesktop.Services.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.ServerManager.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.Shielded.VM.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.StorageMigrationService.Management.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.StorageReplica.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.SystemInsights.Management.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.VolumeActivation.Tools~~~~0.0.1.0 `
+ /capabilityname:Rsat.WSUS.Tools~~~~0.0.1.0 `
+ /capabilityname:ServerCore.AppCompatibility~~~~0.0.1.0 `
+ /capabilityname:SNMP.Client~~~~0.0.1.0 `
+ /capabilityname:Tools.DeveloperMode.Core~~~~0.0.1.0 `
+ /capabilityname:Tools.Graphics.DirectX~~~~0.0.1.0 `
+ /capabilityname:Windows.Client.ShellComponents~~~~0.0.1.0 `
+ /capabilityname:Windows.Desktop.EMS-SAC.Tools~~~~0.0.1.0 `
+ /capabilityname:WMI-SNMP-Provider.Client~~~~0.0.1.0 `
+ /capabilityname:XPS.Viewer~~~~0.0.1.0
+
+ # This one is large, lets skip for now
+ #/capabilityname:Analog.Holographic.Desktop~~~~0.0.1.0 `
+
+
+# Copy language caps to the repo
+Copy-Item -Path $OS_LP_PATH -Destination $REPO_PATH -Force -ErrorAction stop | Out-Null
+
+# Dismount OS image
+Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Discard -ErrorAction ignore | Out-Null
+
+# Dismount ISO images
+Write-Host "Dismounting ISO images"
+Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction ignore | Out-Null
+Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null
+
+```
+
+### Saving optional content in the source operating system
+
+To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This will limit the files to copy.
+
+
+```powershell
+$OUTPUT_PATH = "C:\TEMP\"
+$LOG_PATH = $OUTPUT_PATH + "log.txt"
+$OUTPUT_PATH = "C:\TEMP\"
+$LOG_PATH = $OUTPUT_PATH + "log.txt"
+$LANG_PATH = $OUTPUT_PATH + "sourceLang.txt"
+$CAP_PATH = $OUTPUT_PATH + "sourceCapability.txt"
+$OSVERSION_PATH = $OUTPUT_PATH + "sourceVersion.txt"
+$REPO_PATH = "Z:\Repo\"
+$LOCAL_REPO_PATH = $OUTPUT_PATH + "Local_Repo\"
+
+Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
+
+Function Log
+{
+ param (
+ [Parameter(Mandatory=$True)]
+ [string]$MESSAGE
+ )
+
+ $M = "$(Get-TS): PreInstall: $MESSAGE"
+ Write-Host $M
+ Add-Content -Path $LOG_PATH -Value $M
+
+ }
+
+Function IsLangFile
+{
+ param (
+ [Parameter(Mandatory=$True)]
+ [string]$PATH
+ )
+
+ if (($PATH -match '[-_~]ar[-_~]') -or ($PATH -match '[-_~]bg[-_~]') -or ($PATH -match '[-_~]cs[-_~]') -or `
+ ($PATH -match '[-_~]da[-_~]') -or ($PATH -match '[-_~]de[-_~]') -or ($PATH -match '[-_~]el[-_~]') -or `
+ ($PATH -match '[-_~]en[-_~]') -or ($PATH -match '[-_~]es[-_~]') -or ($PATH -match '[-_~]et[-_~]') -or `
+ ($PATH -match '[-_~]fi[-_~]') -or ($PATH -match '[-_~]fr[-_~]') -or ($PATH -match '[-_~]he[-_~]') -or `
+ ($PATH -match '[-_~]hr[-_~]') -or ($PATH -match '[-_~]hu[-_~]') -or ($PATH -match '[-_~]it[-_~]') -or `
+ ($PATH -match '[-_~]ja[-_~]') -or ($PATH -match '[-_~]ko[-_~]') -or ($PATH -match '[-_~]lt[-_~]') -or `
+ ($PATH -match '[-_~]lv[-_~]') -or ($PATH -match '[-_~]nb[-_~]') -or ($PATH -match '[-_~]nl[-_~]') -or `
+ ($PATH -match '[-_~]pl[-_~]') -or ($PATH -match '[-_~]pt[-_~]') -or ($PATH -match '[-_~]ro[-_~]') -or `
+ ($PATH -match '[-_~]ru[-_~]') -or ($PATH -match '[-_~]sk[-_~]') -or ($PATH -match '[-_~]sl[-_~]') -or `
+ ($PATH -match '[-_~]sv[-_~]') -or ($PATH -match '[-_~]th[-_~]') -or ($PATH -match '[-_~]tr[-_~]') -or `
+ ($PATH -match '[-_~]uk[-_~]') -or ($PATH -match '[-_~]zh[-_~]') -or ($PATH -match '[-_~]sr[-_~]')) {
+ return $True
+ }
+ else {
+ return $False
+ }
+ }
+
+# Remove the log
+Remove-Item -Path $LOG_PATH -Force -ErrorAction ignore | Out-Null
+Log "Starting"
+
+# Remove state files, keep repo if it exists
+Remove-Item -Path $LANG_PATH -Force -ErrorAction ignore | Out-Null
+Remove-Item -Path $CAP_PATH -Force -ErrorAction ignore | Out-Null
+Remove-Item -Path $OSVERSION_PATH -Force -ErrorAction ignore | Out-Null
+
+# Get OS version, to use later for detecting compat scans versus OS installation
+$OSINFO = Get-CimInstance Win32_OperatingSystem
+Log "OS Version: $($OSINFO.Version)"
+Add-Content -Path $OSVERSION_PATH -Value $OSINFO.Version
+
+# Get installed languages from international settings
+$INTL = DISM.exe /Online /Get-Intl /English
+
+# Save only output lines with installed languages
+$LANGUAGES = $INTL | Select-String -SimpleMatch 'Installed language(s)'
+
+# Replace with null so we have a simple list of language codes
+$LANGUAGES = $LANGUAGES | ForEach-Object {$_.Line.Replace("Installed language(s): ","")}
+
+# Save System Language, save only output line with default system language
+$SYSLANG = $INTL | Select-String -SimpleMatch 'Default system UI language'
+
+# Replace with null so we have the language code
+$SYSLANG = $SYSLANG | ForEach-Object {$_.Line.Replace("Default system UI language : ","")}
+
+# Save these languages
+Log "Default system UI language on source OS: $($SYSLANG)"
+ForEach ($ITEM in $LANGUAGES) {
+ Log "Installed language on source OS: $($ITEM)"
+ Add-Content -Path $LANG_PATH -Value $ITEM
+}
+
+# Get and save installed packages, we'll use this for debugging
+$PACKAGES = Get-WindowsPackage -Online
+ForEach ($ITEM in $PACKAGES) {
+ if($ITEM.PackageState -eq "Installed") {
+ Log "Package $($ITEM.PackageName) is installed"
+ }
+}
+
+# Get and save capabilities
+$CAPABILITIES = Get-WindowsCapability -Online
+ForEach ($ITEM in $CAPABILITIES) {
+ if($ITEM.State -eq "Installed") {
+ Log "Capability $($ITEM.Name) is installed"
+ Add-Content -Path $CAP_PATH -Value $ITEM.Name
+ }
+}
+
+# Copy a subset of the Repo files locally, all neutral files and the languages needed
+$REPO_FILES = Get-ChildItem $REPO_PATH -file -Recurse
+ForEach ($FILE in $REPO_FILES) {
+ $PATH = ($FILE.DirectoryName + "\") -Replace [Regex]::Escape($REPO_PATH), $LOCAL_REPO_PATH
+ If (!(Test-Path $Path)) {
+ New-Item -ItemType Directory -Path $PATH -Force | Out-Null
+ }
+ If ((IsLangFile $FILE.Name)) {
+
+ # Only copy those files where we need the primary languages from the source OS
+ ForEach ($ITEM in $LANGUAGES) {
+ if ($FILE.Name -match $Item) {
+
+ If (!(Test-Path (Join-Path $Path $File.Name))) {
+ Copy-Item $FILE.FullName -Destination $PATH -Force
+ Log "Copied file $($FILE.FullName) to local repository"
+ }
+ else {
+ Log "File $($FILE.Name) already exists in local repository"
+ }
+ }
+ }
+ } Else {
+
+ # Copy all 'neutral files' and those language specific that are not in the core 38
+ If (!(Test-Path (Join-Path $Path $File.Name))) {
+ Copy-Item $FILE.FullName -Destination $PATH -Force
+ Log "Copied file $($FILE.FullName) to local repository"
+ }
+ else {
+ Log "File $($FILE.Name) already exists in local repository"
+ }
+ }
+}
+
+Log ("Exiting")
+
+```
+
+### Adding optional content in the target operating system
+
+After setup has completed successfully, we use success.cmd to retrieve the optional content state from the source operating system and install in the new operating system only if that’s missing. Then, apply the latest monthly update as a final step.
+
+
+```powershell
+$OUTPUT_PATH = "C:\TEMP\"
+$LOG_PATH = $OUTPUT_PATH + "log.txt"
+$LANG_PATH = $OUTPUT_PATH + "sourceLang.txt"
+$CAP_PATH = $OUTPUT_PATH + "sourceCapability.txt"
+$OSVERSION_PATH = $OUTPUT_PATH + "sourceVersion.txt"
+$LOCAL_REPO_PATH = $OUTPUT_PATH + "Local_Repo\"
+$LCU_PATH = $OUTPUT_PATH + "Windows10.0-KB4565503-x64_PSFX.cab"
+$PENDING = $false
+
+Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
+
+Function Log
+{
+ param (
+ [Parameter(Mandatory=$True)]
+ [string]$MESSAGE
+ )
+
+ $M = "$(Get-TS): PostInstall: $MESSAGE"
+ Write-Host $M
+ Add-Content -Path $LOG_PATH -Value $M
+
+ }
+
+Log "Starting"
+
+# Get OS version
+$OSINFO = Get-CimInstance Win32_OperatingSystem
+Log "OS Version: $($OSINFO.Version)"
+
+# Check for source OS state, just to be sure
+if (!(Test-Path $LANG_PATH) -or !(Test-Path $CAP_PATH) -or !(Test-Path $OSVERSION_PATH) ) {
+ Log "Source OS state is missing."
+}
+
+# If this script is executing and the OS version hasn't changed, let's exit out.
+else {
+
+ # Retrive OS version from source OS
+ $SOURCE_OSVERSION = Get-Content -Path $OSVERSION_PATH
+ if ($OSINFO.Version -eq $SOURCE_OSVERSION) {
+ Log "OS Version hasn't changed."
+ }
+
+ else {
+
+ # Retrive language list from source OS
+ $SOURCE_LANGUAGES = Get-Content -Path $LANG_PATH
+
+ # Get installed languages from International Settings
+ $INTL = DISM.exe /Online /Get-Intl /English
+
+ # Save System Language, save only output line with default system language
+ $SYS_LANG = $INTL | Select-String -SimpleMatch 'Default system UI language'
+
+ # Replace with null so we have the language code
+ $SYS_LANG = $SYS_LANG | ForEach-Object {$_.Line.Replace("Default system UI language : ","")}
+
+ # Get and save installed packages, we'll use this for debugging
+ $PACKAGES = Get-WindowsPackage -Online
+ ForEach ($ITEM in $PACKAGES) {
+ if($ITEM.PackageState -eq "Installed") {
+ Log "Package $($ITEM.PackageName) is installed"
+ }
+ }
+
+ # Loop through source OS languages, and install if missing on target OS
+ ForEach ($SOURCE_ITEM in $SOURCE_LANGUAGES) {
+ if ($SOURCE_ITEM -ne $SYS_LANG) {
+
+ # add missing languages except the system language
+ Log "Adding language Microsoft-Windows-Client-Language-Pack_x64_$($SOURCE_ITEM).cab"
+ try {
+ Add-WindowsPackage -Online -PackagePath "$($LOCAL_REPO_PATH)\Microsoft-Windows-Client-Language-Pack_x64_$($SOURCE_ITEM).cab" -ErrorAction stop | Out-Null
+ }
+ catch {
+ Log $_.Exception.Message
+ }
+ }
+ }
+
+ # Retrieve capabilities from source OS and target OS
+ $SOURCE_CAPABILITIES = Get-Content -Path $CAP_PATH
+ $CAPABILITIES = Get-WindowsCapability -Online
+
+ # Loop through source OS capabilities, and install if missing on target OS
+ ForEach ($SOURCE_ITEM in $SOURCE_CAPABILITIES) {
+ $INSTALLED = $false
+ ForEach ($ITEM in $CAPABILITIES) {
+ if ($ITEM.Name -eq $($SOURCE_ITEM)) {
+ if ($ITEM.State -eq "Installed") {
+ $INSTALLED = $true
+ break
+ }
+ }
+ }
+
+ # Add if not already installed
+ if (!($INSTALLED)) {
+ Log "Adding capability $SOURCE_ITEM"
+ try {
+ Add-WindowsCapability -Online -Name $SOURCE_ITEM -Source $LOCAL_REPO_PATH -ErrorAction stop | Out-Null
+ }
+ catch {
+ Log $_.Exception.Message
+ }
+ }
+ else {
+ Log "Capability $SOURCE_ITEM is already installed"
+ }
+ }
+
+ # Add LCU, this is required after adding FODs and languages
+ Log ("Adding LCU")
+ Add-WindowsPackage -Online -PackagePath $LCU_PATH -NoRestart
+
+ # Get packages, we'll use this for debugging and to see if we need to restart to install
+ $PACKAGES = Get-WindowsPackage -Online
+ ForEach ($ITEM in $PACKAGES) {
+ Log "Package $($ITEM.PackageName) is $($ITEM.PackageState)"
+ if ($ITEM.PackageState -eq "InstallPending") {
+ $PENDING = $true
+ }
+ }
+ }
+}
+
+# Remove local repository and state files
+Remove-Item -Path $LANG_PATH -Force -ErrorAction ignore | Out-Null
+Remove-Item -Path $CAP_PATH -Force -ErrorAction ignore | Out-Null
+Remove-Item -Path $OSVERSION_PATH -Force -ErrorAction ignore | Out-Null
+Remove-Item -Path $LOCAL_REPO_PATH -Force -Recurse -ErrorAction ignore | Out-Null
+
+# Restarting the computer to let setup process to exit cleanly
+if ($PENDING) {
+ Log ("Install pending packages exists, restarting in 10 seconds")
+ Start-Process -FilePath cmd -ArgumentList "/C shutdown /r /t 10 /f"
+}
+
+Log ("Exiting")
+```
\ No newline at end of file
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index a2ff53df19..4264b434b1 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -10,7 +10,6 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index b7e1707a7d..645903d80f 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -7,12 +7,12 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature,
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
-author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
+ms.author: jaimeo
+author: jaimeo
---
# Determine application readiness
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
new file mode 100644
index 0000000000..45452dd15a
--- /dev/null
+++ b/windows/deployment/update/update-baseline.md
@@ -0,0 +1,47 @@
+---
+title: Update baseline
+description: Use an update baseline to optimize user experience and meet monthly update goals
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, tools, group policy
+ms.prod: w10
+ms.mktglfcycl: manage
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+manager: laurawi
+ms.topic: article
+---
+
+# Update baseline
+
+**Applies to:** Windows 10
+
+With the large number of different policies offered for Windows 10, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations.
+
+## Why is Update Baseline needed?
+
+Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you are just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations.
+
+## You can use Update Baseline to:
+
+- Ensure that user and device configuration settings are compliant with the baseline.
+- Set configuration settings. You can use Group Policy to configure a device with the setting values specified in the baseline.
+
+Update Baseline doesn't affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices and when.
+
+## Policies included in the Update Baseline
+
+The Update Baseline configures settings in these Group Policy areas:
+
+- System/Power Management
+- Windows Components/Delivery Optimization
+- Windows Components/Windows Update
+
+For the complete detailed list of all settings and their values, see the MSFT Windows Update.htm file in the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) at the Download Center
+
+## How do I get started?
+
+The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from the Download Center.
+
+Today, the Update Baseline toolkit is currently only available for use with Group Policy.
+
+
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index de0fe72583..8aaf66d309 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -17,13 +17,14 @@ ms.topic: article
# Manually Configuring Devices for Update Compliance
-There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
+There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
The requirements are separated into different categories:
1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations.
3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
+4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected.
## Required policies
@@ -75,3 +76,14 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic
## Required services
Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
+
+
+## Run a full Census sync
+
+Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this.
+
+A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps:
+
+1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**.
+2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required.
+3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**.
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index c3c6abb633..1fa0437e08 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -2,7 +2,7 @@
title: Delivery Optimization in Update Compliance (Windows 10)
ms.reviewer:
manager: laurawi
-description: new Delivery Optimization data displayed in Update Compliance
+description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 5953fcc349..b58012dcad 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -2,7 +2,7 @@
title: Update Compliance - Feature Update Status report
ms.reviewer:
manager: laurawi
-description: Find the latest status of feature updates with an overview of the Feature Update Status report.
+description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@@ -16,7 +16,7 @@ ms.topic: article
# Feature Update Status
-
+[  ](images/UC_workspace_FU_status.png#lightbox)
The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels).
@@ -35,14 +35,28 @@ Refer to the following list for what each state means:
* Devices that have failed the given feature update installation are counted as **Update failed**.
* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
-## Compatibility holds
+## Safeguard holds
-Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device's upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release.
+Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows 10 release information page for any given release.
-### Opting out of compatibility hold
+## Queries for safeguard holds
-Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**.
+Update Compliance reporting offers two queries to help you retrieve data related to safeguard holds. The first query shows the device data for all devices that are affected by safeguard holds. The second query shows data specific to devices running the target build.
+
-Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device.
+Update Compliance reporting will display the Safeguard IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
+
+### Opting out of safeguard hold
+
+Microsoft will release a device from a safeguard hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired.
+To opt out, set the registry key as follows:
+
+- Registry Key Path :: **Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion**
+- Create New Key :: **502505fe-762c-4e80-911e-0c3fa4c63fb0**
+- Name :: **DataRequireGatedScanForFeatureUpdates**
+- Type :: **REG_DWORD**
+- Value :: **0**
+
+Setting this registry key to **0** will force the device to opt out from *all* safeguard holds. Any other value, or deleting the key, will resume compatibility protection on the device.
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 92d589105d..58bd854855 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -17,11 +17,6 @@ ms.topic: article
# Monitor Windows Updates with Update Compliance
-> [!IMPORTANT]
-> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Microsoft Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020.
-> * The retirement of Microsoft Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to for threats with [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) and [Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).
-> * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
-
## Introduction
Update Compliance enables organizations to:
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index f17250eec3..3032c95790 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -1,9 +1,7 @@
---
title: Update Compliance - Need Attention! report
-ms.reviewer:
manager: laurawi
-description: an overview of the Update Compliance Need Attention! report
-ms.prod: w10
+description: Learn how the Needs attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance.
ms.mktglfcycl: deploy
ms.pagetype: deploy
audience: itpro
@@ -12,6 +10,7 @@ author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
+ms.prod: w10
---
# Needs attention!
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
index 3cbcbbeb28..b5fe054a3e 100644
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -26,7 +26,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|**DeploymentError** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
|**DeploymentErrorCode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
|**DeploymentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Failed` |The high level status of installing this update on this device. Possible values are:
**Update completed**: Device has completed the update installation.
**In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
**Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
**Cancelled**: The update was cancelled.
**Blocked**: There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
**Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that have not sent any deployment data for that update will have the status `Unknown`.
**Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
**Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
-|**DetailedStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
**Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
**Update offered**: The device has been offered the update, but has not begun downloading it.
**Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
**Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds).
**Download started**: The update has begun downloading on the device.
**Download Succeeded**: The update has successfully completed downloading.
**Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
**Install Started**: Installation of the update has begun.
**Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
**Reboot Pending**: The device has a scheduled reboot to apply the update.
**Reboot Initiated**: The scheduled reboot has been initiated.
**Commit**: Changes are being committed post-reboot. This is another step of the installation process.
**Update Completed**: The update has successfully installed.|
+|**DetailedStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
**Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
**Update offered**: The device has been offered the update, but has not begun downloading it.
**Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
**Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
**Download started**: The update has begun downloading on the device.
**Download Succeeded**: The update has successfully completed downloading.
**Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
**Install Started**: Installation of the update has begun.
**Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
**Reboot Pending**: The device has a scheduled reboot to apply the update.
**Reboot Initiated**: The scheduled reboot has been initiated.
**Commit**: Changes are being committed post-reboot. This is another step of the installation process.
**Update Completed**: The update has successfully installed.|
|**ExpectedInstallDate** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
|**LastScan** |[datetime](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
|**OriginBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.719` |The build originally installed on the device when this Update Session began. |
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index 67cc9067ac..5396a3f77c 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -2,7 +2,7 @@
title: Update Compliance - Security Update Status report
ms.reviewer:
manager: laurawi
-description: an overview of the Security Update Status report
+description: Learn how the Security Update Status section provides information about security updates across all devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index b61cef1778..09cf255a00 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -2,7 +2,7 @@
title: Using Update Compliance (Windows 10)
ms.reviewer:
manager: laurawi
-description: Explains how to begin using Update Compliance.
+description: Learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index dbf94c9677..58e2b5e496 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -10,7 +10,6 @@ audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
-author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md
index 515ad60203..b101477546 100644
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@@ -135,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
- 0 = not set
- 1 = AD Site
- 2 = Authenticated domain SID
-- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 235 and use the returned GUID value as the Group ID)
+- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID)
- 4 = DNS Suffix
- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index 0dca1d9e70..9cc82a5183 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -95,7 +95,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period.
-To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **6048000** (7 days) or more (up to 30 days).
+To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days).
To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days).
@@ -146,7 +146,7 @@ Using the `-Verbose` option returns additional information:
- Bytes from CDN (the number of bytes received over HTTP)
- Average number of peer connections per download
-**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
+**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
@@ -191,7 +191,7 @@ With no options, this cmdlet returns these data:
- overall efficiency
- efficiency in the peered files
-Using the `-ListConnections` option returns these detauls about peers:
+Using the `-ListConnections` option returns these details about peers:
- destination IP address
- peer type
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 13b02958f8..db7cd77c90 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -82,6 +82,9 @@ When using WSUS to manage updates on Windows client devices, start by configurin
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+
+ >[!IMPORTANT]
+ > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateDoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index e0d6464259..95321b1013 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -119,8 +119,13 @@ A compliance deadline policy (released in June 2019) enables you to set separate
This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
+#### Update Baseline
+The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.
+The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056).
+>[!NOTE]
+>The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when.
-
- MP3 Files
-
-
-
-
- C:\* [*]
-
-
-
-
- C:\* [*.mp3]
-
-
-
-
-
-
-```
-### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp
-The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp.
-
-``` xml
-
-
- Test component
-
-
-
-
- C:\Data\* [*]
-
-
-
-
- C:\Data\temp\* [*]
-
-
-
-
-
-
-```
-
-### Example 3: How to exclude the files in a folder but include all subfolders
-The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts.
-
-``` xml
-
-
- Component to migrate all Engineering Drafts Documents without subfolders
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
- C:\EngineeringDrafts\ [*]
-
-
-
-
-
-
-```
-
-### Example 4: How to exclude a file from a specific folder
-The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts.
-
-``` xml
-
-
- Component to migrate all Engineering Drafts Documents except Sample.doc
-
-
-
-
- C:\EngineeringDrafts\* [*]
-
-
-
-
- C:\EngineeringDrafts\ [Sample.doc]
-
-
-
-
-
-
-```
-
-### Example 5: How to exclude a file from any location
-To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
-
-``` xml
- C:\* [Sample.doc]
-```
-
-To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded.
-
-``` xml
-
-```
-#### Examples of how to use XML to exclude files, folders, and registry keys
-Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md)
-
-**Example 1: How to exclude all .mp3 files**
-The following .xml file excludes all .mp3 files from the migration:
-
-``` xml
-
-
- Test
-
-
-
-
-
-
-
-
-
-
-
-```
-**Example 2: How to exclude all of the files on a specific drive**
-The following .xml file excludes only the files located on the C: drive.
-
-``` xml
-
-
- Test
-
-
-
-
- c:\*[*]
-
-
-
-
-
-
-```
-**Example 3: How to exclude registry keys**
-The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys.
-
-``` xml
-
-
-
- Test
-
-
-
-
- HKCU\testReg[*]
-
-
-
-
- HKCU\*[*]
-
-
-
-
-
-
-```
-**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
-The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element.
-
-``` xml
-
-
-
- Test
-
-
-
-
-
-
-
-
-
-
-
- C:\Program Files\* [*]
-C:\Windows\* [*]
-
-
-
-
-
-
-```
-## Create a Config XML File
-You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
-
-- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file.
-
-- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section.
-
-- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not.
-
-See [Config.xml File](usmt-configxml-file.md) for more information.
-
-**Note**
-To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
-
-## Related topics
-- [Customize USMT XML Files](usmt-customize-xml-files.md)
-- [USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Exclude Files and Settings (Windows 10)
+description: In this article, learn how to exclude files and settings when creating a custom .xml file and a config.xml file.
+ms.assetid: df85baf1-6e29-4995-a4bb-ba3f8f7fed0b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Exclude Files and Settings
+When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+In this topic:
+
+- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude:
+
+ - include and exclude: You can use the <include> and <exclude> elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements.
+
+ - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the <unconditionalExclude> element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other <include> rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData.
+
+- [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax.
+
+## Create a custom .xml file
+We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
+
+### <include> and <exclude>
+The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the <component> element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the <include> and <exclude> elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
+
+**Note**
+If you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise, if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary.
+
+- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
+
+- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)
+
+- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)
+
+- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder)
+
+- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location)
+
+### Example 1: How to migrate all files from C:\\ except .mp3 files
+The following .xml file migrates all files located on the C: drive, except any .mp3 files.
+
+``` xml
+
+
+
+ MP3 Files
+
+
+
+
+ C:\* [*]
+
+
+
+
+ C:\* [*.mp3]
+
+
+
+
+
+
+```
+### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp
+The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp.
+
+``` xml
+
+
+ Test component
+
+
+
+
+ C:\Data\* [*]
+
+
+
+
+ C:\Data\temp\* [*]
+
+
+
+
+
+
+```
+
+### Example 3: How to exclude the files in a folder but include all subfolders
+The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts.
+
+``` xml
+
+
+ Component to migrate all Engineering Drafts Documents without subfolders
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+ C:\EngineeringDrafts\ [*]
+
+
+
+
+
+
+```
+
+### Example 4: How to exclude a file from a specific folder
+The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts.
+
+``` xml
+
+
+ Component to migrate all Engineering Drafts Documents except Sample.doc
+
+
+
+
+ C:\EngineeringDrafts\* [*]
+
+
+
+
+ C:\EngineeringDrafts\ [Sample.doc]
+
+
+
+
+
+
+```
+
+### Example 5: How to exclude a file from any location
+To exclude a Sample.doc file from any location on the C: drive, use the <pattern> element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
+
+``` xml
+ C:\* [Sample.doc]
+```
+
+To exclude a Sample.doc file from any drive on the computer, use the <script> element. If multiple files exist with the same name, all of these files will be excluded.
+
+``` xml
+
+```
+#### Examples of how to use XML to exclude files, folders, and registry keys
+Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md)
+
+**Example 1: How to exclude all .mp3 files**
+The following .xml file excludes all .mp3 files from the migration:
+
+``` xml
+
+
+ Test
+
+
+
+
+
+
+
+
+
+
+
+```
+**Example 2: How to exclude all of the files on a specific drive**
+The following .xml file excludes only the files located on the C: drive.
+
+``` xml
+
+
+ Test
+
+
+
+
+ c:\*[*]
+
+
+
+
+
+
+```
+**Example 3: How to exclude registry keys**
+The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys.
+
+``` xml
+
+
+
+ Test
+
+
+
+
+ HKCU\testReg[*]
+
+
+
+
+ HKCU\*[*]
+
+
+
+
+
+
+```
+**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**
+The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the <unconditionalExclude> element takes precedence over the <include> element.
+
+``` xml
+
+
+
+ Test
+
+
+
+
+
+
+
+
+
+
+
+ C:\Program Files\* [*]
+C:\Windows\* [*]
+
+
+
+
+
+
+```
+## Create a Config XML File
+You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
+
+- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file.
+
+- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the <WindowsComponents> section.
+
+- **To exclude My Documents:** Specify `migrate="no"` for My Documents under the <Documents> section. Note that any <include> rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not.
+
+See [Config.xml File](usmt-configxml-file.md) for more information.
+
+**Note**
+To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+
+## Related topics
+- [Customize USMT XML Files](usmt-customize-xml-files.md)
+- [USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 6a97acb78b..a6d6154a83 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -1,122 +1,123 @@
----
-title: Extract Files from a Compressed USMT Migration Store (Windows 10)
-description: Extract Files from a Compressed USMT Migration Store
-ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Extract Files from a Compressed USMT Migration Store
-
-
-When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store.
-
-Options used with the **/extract** option can specify:
-
-- The cryptographic algorithm that was used to create the migration store.
-
-- The encryption key or the text file that contains the encryption key.
-
-- Include and exclude patterns for selective data extraction.
-
-In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools.
-
-## In this topic
-
-
-- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax)
-
-- [To extract all files from a compressed migration store](#bkmk-extractallfiles)
-
-- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles)
-
-- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern)
-
-- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles)
-
-### To run the USMTutils tool with the /extract option
-
-To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax:
-
-Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\]
-
-Where the placeholders have the following values:
-
-- *<USMTpath>* is the location where you have saved the USMT files and tools.
-
-- *<filePath>* is the location of the migration store.
-
-- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents.
-
-- *<includePattern>* specifies the pattern for the files to include in the extraction.
-
-- *<excludePattern>* specifies the pattern for the files to omit from the extraction.
-
-- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
-
-- *<logfile>* is the location and name of the log file.
-
-- *<keystring>* is the encryption key that was used to encrypt the migration store.
-
-- *<filename>* is the location and name of the text file that contains the encryption key.
-
-### To extract all files from a compressed migration store
-
-To extract everything from a compressed migration store to a file on the C:\\ drive, type:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
-```
-
-### To extract specific file types from an encrypted compressed migration store
-
-To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
-```
-
-In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey.
-
-### To extract all but one, or more, file types from an encrypted compressed migration store
-
-To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
-```
-
-### To extract file types using the include pattern and the exclude pattern
-
-To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
-
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
-```
-
-In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option.
-
-## Related topics
-
-
-[UsmtUtils Syntax](usmt-utilities.md)
-
-[Return Codes](usmt-return-codes.md)
-
-[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
-
-
-
-
-
-
-
-
-
+---
+title: Extract Files from a Compressed USMT Migration Store (Windows 10)
+description: In this article, learn how to extract files from a compressed User State Migration Tool (USMT) migration store.
+ms.assetid: ad9fbd6e-f89e-4444-8538-9b11566b1f33
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Extract Files from a Compressed USMT Migration Store
+
+
+When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store.
+
+Options used with the **/extract** option can specify:
+
+- The cryptographic algorithm that was used to create the migration store.
+
+- The encryption key or the text file that contains the encryption key.
+
+- Include and exclude patterns for selective data extraction.
+
+In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools.
+
+## In this topic
+
+
+- [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax)
+
+- [To extract all files from a compressed migration store](#bkmk-extractallfiles)
+
+- [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles)
+
+- [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern)
+
+- [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles)
+
+### To run the USMTutils tool with the /extract option
+
+To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax:
+
+Cd /d <USMTpath> usmtutils /extract <filePath> <destinationPath> \[/i:<includePattern>\] \[/e:<excludePattern>\] \[/l:<logfile>\] \[/decrypt\[:<AlgID>\] {/key:<keystring> | /keyfile:<filename>}\] \[/o\]
+
+Where the placeholders have the following values:
+
+- *<USMTpath>* is the location where you have saved the USMT files and tools.
+
+- *<filePath>* is the location of the migration store.
+
+- *<destination path>* is the location of the file where you want the **/extract** option to put the extracted migration store contents.
+
+- *<includePattern>* specifies the pattern for the files to include in the extraction.
+
+- *<excludePattern>* specifies the pattern for the files to omit from the extraction.
+
+- *<AlgID>* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
+
+- *<logfile>* is the location and name of the log file.
+
+- *<keystring>* is the encryption key that was used to encrypt the migration store.
+
+- *<filename>* is the location and name of the text file that contains the encryption key.
+
+### To extract all files from a compressed migration store
+
+To extract everything from a compressed migration store to a file on the C:\\ drive, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
+```
+
+### To extract specific file types from an encrypted compressed migration store
+
+To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
+```
+
+In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey.
+
+### To extract all but one, or more, file types from an encrypted compressed migration store
+
+To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
+```
+
+### To extract file types using the include pattern and the exclude pattern
+
+To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
+
+``` syntax
+usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
+```
+
+In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option.
+
+## Related topics
+
+
+[UsmtUtils Syntax](usmt-utilities.md)
+
+[Return Codes](usmt-return-codes.md)
+
+[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-faq.md b/windows/deployment/usmt/usmt-faq.md
index 49092e9f6f..97be09803c 100644
--- a/windows/deployment/usmt/usmt-faq.md
+++ b/windows/deployment/usmt/usmt-faq.md
@@ -1,137 +1,138 @@
----
-title: Frequently Asked Questions (Windows 10)
-description: Frequently Asked Questions
-ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Frequently Asked Questions
-
-
-The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
-
-## General
-
-
-### How much space is needed on the destination computer?
-
-The destination computer needs enough available space for the following:
-
-- Operating system
-
-- Applications
-
-- Uncompressed store
-
-### Can I store the files and settings directly on the destination computer or do I need a server?
-
-You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps:
-
-1. Create and share the directory C:\\store on the destination computer.
-
-2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store
-
-3. Run the LoadState tool on the destination computer and specify C:\\store as the store location.
-
-### Can I migrate data between operating systems with different languages?
-
-No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language.
-
-### Can I change the location of the temporary directory on the destination computer?
-
-Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media.
-
-### How do I install USMT?
-
-Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer.
-
-### How do I uninstall USMT?
-
-If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT.
-
-## Files and Settings
-
-
-### How can I exclude a folder or a certain type of file from the migration?
-
-You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md).
-
-### What happens to files that were located on a drive that does not exist on the destination computer?
-
-USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer.
-
-## USMT .xml Files
-
-
-### Where can I get examples of USMT .xml files?
-
-The following topics include examples of USMT .xml files:
-
-- [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
-
-- [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
-
-- [Include Files and Settings](usmt-include-files-and-settings.md)
-
-- [Custom XML Examples](usmt-custom-xml-examples.md)
-
-### Can I use custom .xml files that were written for USMT 5.0?
-
-Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements.
-
-### How can I validate the .xml files?
-
-You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files.
-
-### Why must I list the .xml files with both the ScanState and LoadState commands?
-
-The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate.
-
-If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
-
-### Which files can I modify and specify on the command line?
-
-You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file.
-
-### What happens if I do not specify the .xml files on the command line?
-
-- **ScanState**
-
- If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated.
-
-- **LoadState**
-
- If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
-
-## Conflicts and Precedence
-
-
-### What happens when there are conflicting XML rules or conflicting objects on the destination computer?
-
-For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
-
-[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
-
-
-
-
-
-
-
-
-
+---
+title: Frequently Asked Questions (Windows 10)
+description: Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
+ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Frequently Asked Questions
+
+
+The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
+
+## General
+
+
+### How much space is needed on the destination computer?
+
+The destination computer needs enough available space for the following:
+
+- Operating system
+
+- Applications
+
+- Uncompressed store
+
+### Can I store the files and settings directly on the destination computer or do I need a server?
+
+You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps:
+
+1. Create and share the directory C:\\store on the destination computer.
+
+2. Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store
+
+3. Run the LoadState tool on the destination computer and specify C:\\store as the store location.
+
+### Can I migrate data between operating systems with different languages?
+
+No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language.
+
+### Can I change the location of the temporary directory on the destination computer?
+
+Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media.
+
+### How do I install USMT?
+
+Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer.
+
+### How do I uninstall USMT?
+
+If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT.
+
+## Files and Settings
+
+
+### How can I exclude a folder or a certain type of file from the migration?
+
+You can use the **<unconditionalExclude>** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other <include> rules that are in the .xml files. For an example, see <unconditionalExclude> in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md).
+
+### What happens to files that were located on a drive that does not exist on the destination computer?
+
+USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when <locationModify> rules attempt to move data to a drive that does not exist on the destination computer.
+
+## USMT .xml Files
+
+
+### Where can I get examples of USMT .xml files?
+
+The following topics include examples of USMT .xml files:
+
+- [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+
+- [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+
+- [Include Files and Settings](usmt-include-files-and-settings.md)
+
+- [Custom XML Examples](usmt-custom-xml-examples.md)
+
+### Can I use custom .xml files that were written for USMT 5.0?
+
+Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements.
+
+### How can I validate the .xml files?
+
+You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files.
+
+### Why must I list the .xml files with both the ScanState and LoadState commands?
+
+The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate.
+
+If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+
+### Which files can I modify and specify on the command line?
+
+You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file.
+
+### What happens if I do not specify the .xml files on the command line?
+
+- **ScanState**
+
+ If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated.
+
+- **LoadState**
+
+ If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+
+## Conflicts and Precedence
+
+
+### What happens when there are conflicting XML rules or conflicting objects on the destination computer?
+
+For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
+
+[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 3439d25d7a..49cbfc3f28 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -1,106 +1,107 @@
----
-title: General Conventions (Windows 10)
-description: General Conventions
-ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# General Conventions
-
-
-This topic describes the XML helper functions.
-
-## In This Topic
-
-
-[General XML Guidelines](#bkmk-general)
-
-[Helper Functions](#bkmk-helperfunctions)
-
-## General XML Guidelines
-
-
-Before you modify the .xml files, become familiar with the following guidelines:
-
-- **XML schema**
-
- You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
-
-- **Conflits**
-
- In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-- **Required elements**
-
- The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**.
-
-- **Required child elements**
-
- - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration.
-
- - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements.
-
-- **File names with brackets**
-
- If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
-
-- **Using quotation marks**
-
- When you surround code in quotation marks, you can use either double ("") or single (') quotation marks.
-
-## Helper Functions
-
-
-You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following:
-
-- **All of the parameters are strings**
-
-- **You can leave NULL parameters blank**
-
- As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
-
- ``` syntax
- SomeFunction("My String argument",NULL,NULL)
- ```
-
- is equivalent to:
-
- ``` syntax
- SomeFunction("My String argument")
- ```
-
-- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object**
-
- It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
-
- For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters.
-
- The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
-
-- **You specify a location pattern in a way that is similar to how you specify an actual location**
-
- The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
-
- For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**.
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: General Conventions (Windows 10)
+description: Learn about general XML guidelines and how to use XML helper functions in the XML Elements library to change migration behavior.
+ms.assetid: 5761986e-a847-41bd-bf8e-7c1bd01acbc6
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# General Conventions
+
+
+This topic describes the XML helper functions.
+
+## In This Topic
+
+
+[General XML Guidelines](#bkmk-general)
+
+[Helper Functions](#bkmk-helperfunctions)
+
+## General XML Guidelines
+
+
+Before you modify the .xml files, become familiar with the following guidelines:
+
+- **XML schema**
+
+ You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
+
+- **Conflicts**
+
+ In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+- **Required elements**
+
+ The required elements for a migration .xml file are **<migration>**, **<component>**, **<role>**, and **<rules>**.
+
+- **Required child elements**
+
+ - USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration.
+
+ - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `` in **<namedElements>**, and you specify `` in **<component>** to refer to this element, the definition inside **<namedElements>** must have the required child elements, but the **<component>** element does not need to have the required child elements.
+
+- **File names with brackets**
+
+ If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`.
+
+- **Using quotation marks**
+
+ When you surround code in quotation marks, you can use either double ("") or single (') quotation marks.
+
+## Helper Functions
+
+
+You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following:
+
+- **All of the parameters are strings**
+
+- **You can leave NULL parameters blank**
+
+ As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
+
+ ``` syntax
+ SomeFunction("My String argument",NULL,NULL)
+ ```
+
+ is equivalent to:
+
+ ``` syntax
+ SomeFunction("My String argument")
+ ```
+
+- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object**
+
+ It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
+
+ For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters.
+
+ The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
+
+- **You specify a location pattern in a way that is similar to how you specify an actual location**
+
+ The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
+
+ For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**.
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index 5c8bbb6d9b..441dccf3f7 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -1,150 +1,135 @@
----
-title: How USMT Works (Windows 10)
-description: How USMT Works
-ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# How USMT Works
-
-
-USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.
-
-- [ScanState Process](#bkmk-ssprocess)
-
-- [LoadState Process](#bkmk-lsprocess)
-
- **Note**
- For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-
-
-## The ScanState Process
-
-
-When you run the ScanState tool on the source computer, it goes through the following process:
-
-1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
-
-2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component.
-
- There are three types of components:
-
- - Components that migrate the operating system settings
-
- - Components that migrate application settings
-
- - Components that migrate users’ files
-
- The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
-
- In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
-
-3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration.
-
-4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration:
-
- 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
-
- **Note**
- From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way.
-
-
-
- 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory.
-
- 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues.
-
- 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
-
- 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
- In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated.
-
- **Note**
- ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer.
-
-
-
-5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile.
-
-6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location.
-
- **Note**
- ScanState does not modify the source computer in any way.
-
-
-
-## The LoadState Process
-
-
-The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer.
-
-1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
-
-2. LoadState collects information about the migration components that need to be migrated.
-
- LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command.
-
- In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
-
-3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration.
-
- - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated.
-
- - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified.
-
- - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md).
-
-4. In the "Scanning" phase, LoadState does the following for each user profile:
-
- 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
-
- **Note**
- From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way.
-
-
-
- 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory).
-
- **Note**
- LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration.
-
-
-
- 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
-
- 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
- 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections.
-
- 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState.
-
- **Important**
- It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran.
-
-
-
-5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed.
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
-
-
-
-
-
-
-
-
+---
+title: How USMT Works (Windows 10)
+description: Learn how USMT works and how it includes two tools that migrate settings and data - ScanState and LoadState.
+ms.assetid: 5c8bd669-9e1e-473d-81e6-652f40b24171
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# How USMT Works
+
+
+USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.
+
+- [ScanState Process](#the-scanstate-process)
+- [LoadState Process](#the-loadstate-process)
+
+ **Note**
+ For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+## The ScanState Process
+
+When you run the ScanState tool on the source computer, it goes through the following process:
+
+1. It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
+
+2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component.
+
+ There are three types of components:
+
+ - Components that migrate the operating system settings
+ - Components that migrate application settings
+ - Components that migrate users’ files
+
+ The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
+
+ In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+
+3. ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration.
+
+4. In the "Scanning" phase, ScanState does the following for each user profile selected for migration:
+
+ 1. For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+
+ **Note**
+ From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way.
+
+ 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory.
+
+ 3. For each selected component, ScanState evaluates the <detects> section. If the condition in the <detects> section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues.
+
+ 4. For each selected component, ScanState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
+
+ 5. ScanState creates a list of migration units that need to be migrated by processing the various subsections under this <rules> section. Each unit is collected if it is mentioned in an <include> subsection, as long as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+ In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an <UnconditionalExclude> section is not migrated.
+
+ **Note**
+ ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer.
+
+5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile.
+
+6. In the "Saving" phase, ScanState writes the migration units that were collected to the store location.
+
+ **Note**
+ ScanState does not modify the source computer in any way.
+
+## The LoadState Process
+
+
+The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer.
+
+1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
+
+2. LoadState collects information about the migration components that need to be migrated.
+
+ LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command.
+
+ In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+
+3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration.
+
+ - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated.
+
+ - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified.
+
+ - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md).
+
+4. In the "Scanning" phase, LoadState does the following for each user profile:
+
+ 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+
+ **Note**
+ From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way.
+
+
+
+ 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory).
+
+ **Note**
+ LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration.
+
+
+
+ 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
+
+ 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+
+ 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections.
+
+ 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState.
+
+ **Important**
+ It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran.
+
+5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed.
+
+## Related topics
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index 9fdba24603..f883284978 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -1,35 +1,36 @@
----
-title: User State Migration Tool (USMT) How-to topics (Windows 10)
-description: User State Migration Tool (USMT) How-to topics
-ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) How-to topics
-The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
-
-## In This Section
-
-|Topic |Description|
-|------|-----------|
-|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.|
-|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.|
-|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.|
-|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.|
-|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.|
-|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.|
-|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.|
-|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.|
-
-## Related topics
-- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+---
+title: User State Migration Tool (USMT) How-to topics (Windows 10)
+description: Reference the topics in this article to learn how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
+ms.assetid: 7b9a2f2a-a43a-4984-9746-a767f9f1c7e3
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) How-to topics
+The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
+
+## In This Section
+
+|Topic |Description|
+|------|-----------|
+|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.|
+|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.|
+|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.|
+|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.|
+|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.|
+|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.|
+|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.|
+|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.|
+
+## Related topics
+- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index 45cd2a17a7..e8c15402b9 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -1,51 +1,52 @@
----
-title: Identify File Types, Files, and Folders (Windows 10)
-description: Identify File Types, Files, and Folders
-ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Identify File Types, Files, and Folders
-
-
-When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following:
-
-- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis.
-
-- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files).
-
-- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules.
-
-Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer.
-
-**To find the registered file types on a computer running Windows 7 or Windows 8**
-
-1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**.
-
-2. Click **Default Programs**, and click **Associate a file type or protocol with a program**.
-
-3. On this screen, the registered file types are displayed.
-
-For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
-
-## Related topics
-
-
-[Determine What to Migrate](usmt-determine-what-to-migrate.md)
-
-
-
-
-
-
-
-
-
+---
+title: Identify File Types, Files, and Folders (Windows 10)
+description: Learn how to identify the file types, files, folders, and settings that you want to migrate when you're planning your migration.
+ms.assetid: 93bb2a33-c126-4f7a-a961-6c89686d54e0
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Identify File Types, Files, and Folders
+
+
+When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following:
+
+- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis.
+
+- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files).
+
+- **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules.
+
+Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer.
+
+**To find the registered file types on a computer running Windows 7 or Windows 8**
+
+1. Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**.
+
+2. Click **Default Programs**, and click **Associate a file type or protocol with a program**.
+
+3. On this screen, the registered file types are displayed.
+
+For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
+
+## Related topics
+
+
+[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index b58c711dbf..f592773c30 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -1,6 +1,6 @@
---
title: Identify Users (Windows 10)
-description: Identify Users
+description: Learn how to identify users you plan to migrate, as well as how to migrate local accounts and domain accounts.
ms.assetid: 957a4fe9-79fd-44a2-8c26-33e50f71f9de
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index 3bbf83959b..2a52999416 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -1,6 +1,6 @@
---
title: LoadState Syntax (Windows 10)
-description: LoadState Syntax
+description: Learn about the syntax and usage of the command-line options available when you use the LoadState command.
ms.assetid: 53d2143b-cbe9-4cfc-8506-36e9d429f6d4
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index d9917d3495..7460f63692 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -1,6 +1,6 @@
---
title: Log Files (Windows 10)
-description: Log Files
+description: Learn how to use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations.
ms.assetid: 28185ebd-630a-4bbd-94f4-8c48aad05649
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index 706f2c6a6e..17fe9cfc7d 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -1,55 +1,56 @@
----
-title: Migrate EFS Files and Certificates (Windows 10)
-description: Migrate EFS Files and Certificates
-ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migrate EFS Files and Certificates
-
-
-This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-## To Migrate EFS Files and Certificates
-
-
-Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
-
-**Note**
-The **/efs** options are not used with the LoadState command.
-
-
-
-Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
-
-You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type:
-
-``` syntax
-Cipher /D /S:
-```
-
-Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set.
-
-## Related topics
-
-
-[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
-[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migrate EFS Files and Certificates (Windows 10)
+description: Learn how to migrate Encrypting File System (EFS) certificates. Also, learn where to find information about how to identify file types, files, and folders.
+ms.assetid: 7f19a753-ec45-4433-b297-cc30f16fdee1
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migrate EFS Files and Certificates
+
+
+This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+## To Migrate EFS Files and Certificates
+
+
+Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
+
+**Note**
+The **/efs** options are not used with the LoadState command.
+
+
+
+Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
+
+You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type:
+
+``` syntax
+Cipher /D /S:
+```
+
+Where *<Path>* is the full path of the topmost parent directory where the encryption attribute is set.
+
+## Related topics
+
+
+[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+
+[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index 663964c7eb..330d9984b5 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -1,96 +1,97 @@
----
-title: Migrate User Accounts (Windows 10)
-description: Migrate User Accounts
-ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Migrate User Accounts
-
-
-By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file.
-
-## In this Topic
-
-
-- [To migrate all user accounts and user settings](#bkmk-migrateall)
-
-- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo)
-
-- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
-
-## To migrate all user accounts and user settings
-Links to detailed explanations of commands are available in the Related Topics section.
-
-1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
-
- `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o`
-
-2. Log on to the destination computer as an administrator.
-
-3. Do one of the following:
-
- - If you are migrating domain accounts, specify:
-
- `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
-
- - If you are migrating local accounts along with domain accounts, specify:
-
- `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae`
-
- **Note**
- You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer.
-
-
-
-## To migrate two domain accounts (User1 and User2)
-Links to detailed explanations of commands are available in the Related Topics section.
-
-1. Log on to the source computer as an administrator, and specify:
-
- `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o`
-
-2. Log on to the destination computer as an administrator.
-
-3. Specify the following:
-
- `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
-
-## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
-Links to detailed explanations of commands are available in the Related Topics section.
-
-1. Log on to the source computer as an administrator, and type the following at the command-line prompt:
-
- `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o`
-
-2. Log on to the destination computer as an administrator.
-
-3. Specify the following:
-
- `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml`
-
-## Related topics
-
-
-[Identify Users](usmt-identify-users.md)
-
-[ScanState Syntax](usmt-scanstate-syntax.md)
-
-[LoadState Syntax](usmt-loadstate-syntax.md)
-
-
-
-
-
-
-
-
-
+---
+title: Migrate User Accounts (Windows 10)
+description: Learn how to migrate user accounts and how to specify which users to include and exclude by using the User options on the command line.
+ms.assetid: a3668361-43c8-4fd2-b26e-9a2deaeaeb09
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Migrate User Accounts
+
+
+By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file.
+
+## In this Topic
+
+
+- [To migrate all user accounts and user settings](#bkmk-migrateall)
+
+- [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo)
+
+- [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
+
+## To migrate all user accounts and user settings
+Links to detailed explanations of commands are available in the Related Topics section.
+
+1. Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
+
+ `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o`
+
+2. Log on to the destination computer as an administrator.
+
+3. Do one of the following:
+
+ - If you are migrating domain accounts, specify:
+
+ `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+
+ - If you are migrating local accounts along with domain accounts, specify:
+
+ `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae`
+
+ **Note**
+ You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer.
+
+
+
+## To migrate two domain accounts (User1 and User2)
+Links to detailed explanations of commands are available in the Related Topics section.
+
+1. Log on to the source computer as an administrator, and specify:
+
+ `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o`
+
+2. Log on to the destination computer as an administrator.
+
+3. Specify the following:
+
+ `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+
+## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
+Links to detailed explanations of commands are available in the Related Topics section.
+
+1. Log on to the source computer as an administrator, and type the following at the command-line prompt:
+
+ `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o`
+
+2. Log on to the destination computer as an administrator.
+
+3. Specify the following:
+
+ `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml`
+
+## Related topics
+
+
+[Identify Users](usmt-identify-users.md)
+
+[ScanState Syntax](usmt-scanstate-syntax.md)
+
+[LoadState Syntax](usmt-loadstate-syntax.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 6d80871901..5ec6da19d3 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -1,60 +1,61 @@
----
-title: User State Migration Tool (USMT) Overview (Windows 10)
-description: User State Migration Tool (USMT) Overview
-ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 10/16/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Overview
-You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
-
-USMT enables you to do the following:
-
-- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
-
-- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md).
-
-- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md).
-
-## Benefits
-USMT provides the following benefits to businesses that are deploying Windows operating systems:
-
-- Safely migrates user accounts, operating system and application settings.
-
-- Lowers the cost of deploying Windows by preserving user state.
-
-- Reduces end-user downtime required to customize desktops and find missing files.
-
-- Reduces help-desk calls.
-
-- Reduces the time needed for the user to become familiar with the new operating system.
-
-- Increases employee satisfaction with the migration experience.
-
-## Limitations
-USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
-
-There are some scenarios in which the use of USMT is not recommended. These include:
-
-- Migrations that require end-user interaction.
-
-- Migrations that require customization on a machine-by-machine basis.
-
-## Related topics
-- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
-
-
-
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Overview (Windows 10)
+description: Learn about using User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems.
+ms.assetid: 3b649431-ad09-4b17-895a-3fec7ac0a81f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 10/16/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Overview
+You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
+
+USMT enables you to do the following:
+
+- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
+
+- Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md).
+
+- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md).
+
+## Benefits
+USMT provides the following benefits to businesses that are deploying Windows operating systems:
+
+- Safely migrates user accounts, operating system and application settings.
+
+- Lowers the cost of deploying Windows by preserving user state.
+
+- Reduces end-user downtime required to customize desktops and find missing files.
+
+- Reduces help-desk calls.
+
+- Reduces the time needed for the user to become familiar with the new operating system.
+
+- Increases employee satisfaction with the migration experience.
+
+## Limitations
+USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
+
+There are some scenarios in which the use of USMT is not recommended. These include:
+
+- Migrations that require end-user interaction.
+
+- Migrations that require customization on a machine-by-machine basis.
+
+## Related topics
+- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 1fa60664bd..7ea0c4d341 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -1,71 +1,72 @@
----
-title: Plan Your Migration (Windows 10)
-description: Plan Your Migration
-ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Plan Your Migration
-
-
-Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure.
-
-In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out.
-
-One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer.
-
-## In This Section
-
-
-
Test your migration before you deploy Windows to all users.
-
-
-
-
-
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Plan Your Migration (Windows 10)
+description: Learn how to your plan your migration carefully so your migration can proceed smoothly and so that you reduce the risk of migration failure.
+ms.assetid: c951f7df-850e-47ad-b31b-87f902955e3e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Plan Your Migration
+
+
+Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure.
+
+In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out.
+
+One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer.
+
+## In This Section
+
+
+
Test your migration before you deploy Windows to all users.
+
+
+
+
+
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index d2862feb9a..dfb923bbd4 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -1,470 +1,471 @@
----
-title: Recognized Environment Variables (Windows 10)
-description: Recognized Environment Variables
-ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Recognized Environment Variables
-
-
-When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file.
-
-## In This Topic
-
-
-- [Variables that are processed for the operating system and in the context of each user](#bkmk-1)
-
-- [Variables that are recognized only in the user context](#bkmk-2)
-
-## Variables that are processed for the operating system and in the context of each user
-
-
-You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`.
-
-
-
-
-
-
-
-
-
Variable
-
Explanation
-
-
-
-
-
ALLUSERSAPPDATA
-
Same as CSIDL_COMMON_APPDATA.
-
-
-
ALLUSERSPROFILE
-
Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.
-
-
-
COMMONPROGRAMFILES
-
Same as CSIDL_PROGRAM_FILES_COMMON.
-
-
-
COMMONPROGRAMFILES(X86)
-
Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.
-
-
-
CSIDL_COMMON_ADMINTOOLS
-
Version 10.0. The file-system directory that contains administrative tools for all users of the computer.
-
-
-
CSIDL_COMMON_ALTSTARTUP
-
The file-system directory that corresponds to the non-localized Startup program group for all users.
-
-
-
CSIDL_COMMON_APPDATA
-
The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.
-
-
-
CSIDL_COMMON_DESKTOPDIRECTORY
-
The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.
-
-
-
CSIDL_COMMON_DOCUMENTS
-
The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.
-
-
-
CSIDL_COMMON_FAVORITES
-
The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.
-
-
-
CSIDL_COMMON_MUSIC
-
The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.
-
-
-
CSIDL_COMMON_PICTURES
-
The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.
-
-
-
CSIDL_COMMON_PROGRAMS
-
The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.
-
-
-
CSIDL_COMMON_STARTMENU
-
The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.
-
-
-
CSIDL_COMMON_STARTUP
-
The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.
-
-
-
CSIDL_COMMON_TEMPLATES
-
The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.
-
-
-
CSIDL_COMMON_VIDEO
-
The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.
-
-
-
CSIDL_DEFAULT_APPDATA
-
Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_LOCAL_APPDATA
-
Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_COOKIES
-
Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_CONTACTS
-
Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_DESKTOP
-
Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_DOWNLOADS
-
Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_FAVORITES
-
Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_HISTORY
-
Refers to the History folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_INTERNET_CACHE
-
Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_PERSONAL
-
Refers to the Personal folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_MYDOCUMENTS
-
Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_MYPICTURES
-
Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_MYMUSIC
-
Refers to the My Music folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_MYVIDEO
-
Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_RECENT
-
Refers to the Recent folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_SENDTO
-
Refers to the Send To folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_STARTMENU
-
Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_PROGRAMS
-
Refers to the Programs folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_STARTUP
-
Refers to the Startup folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_TEMPLATES
-
Refers to the Templates folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_DEFAULT_QUICKLAUNCH
-
Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.
-
-
-
CSIDL_FONTS
-
A virtual folder containing fonts. A typical path is C:\Windows\Fonts.
-
-
-
CSIDL_PROGRAM_FILESX86
-
The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).
-
-
-
CSIDL_PROGRAM_FILES_COMMONX86
-
A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.
-
-
-
CSIDL_PROGRAM_FILES
-
The Program Files folder. A typical path is C:\Program Files.
-
-
-
CSIDL_PROGRAM_FILES_COMMON
-
A folder for components that are shared across applications. A typical path is C:\Program Files\Common.
-
-
-
CSIDL_RESOURCES
-
The file-system directory that contains resource data. A typical path is C:\Windows\Resources.
-
-
-
CSIDL_SYSTEM
-
The Windows System folder. A typical path is C:\Windows\System32.
-
-
-
CSIDL_WINDOWS
-
The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.
-
-
-
DEFAULTUSERPROFILE
-
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].
-
-
-
PROFILESFOLDER
-
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].
-
-
-
PROGRAMFILES
-
Same as CSIDL_PROGRAM_FILES.
-
-
-
PROGRAMFILES(X86)
-
Refers to the C:\Program Files (x86) folder on 64-bit systems.
-
-
-
SYSTEM
-
Refers to %WINDIR%\system32.
-
-
-
SYSTEM16
-
Refers to %WINDIR%\system.
-
-
-
SYSTEM32
-
Refers to %WINDIR%\system32.
-
-
-
SYSTEMPROFILE
-
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].
-
-
-
SYSTEMROOT
-
Refers to the root of the system drive.
-
-
-
WINDIR
-
Refers to the Windows folder located on the system drive.
-
-
-
-
-
-
-## Variables that are recognized only in the user context
-
-
-You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`.
-
-
-
-
-
-
-
-
-
Variable
-
Explanation
-
-
-
-
-
APPDATA
-
Same as CSIDL_APPDATA.
-
-
-
CSIDL_ADMINTOOLS
-
The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.
-
-
-
CSIDL_ALTSTARTUP
-
The file-system directory that corresponds to the user's non-localized Startup program group.
-
-
-
CSIDL_APPDATA
-
The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.
-
-
-
CSIDL_BITBUCKET
-
The virtual folder that contains the objects in the user's Recycle Bin.
-
-
-
CSIDL_CDBURN_AREA
-
The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.
-
-
-
CSIDL_CONNECTIONS
-
The virtual folder representing Network Connections that contains network and dial-up connections.
-
-
-
CSIDL_CONTACTS
-
This refers to the Contacts folder in %CSIDL_PROFILE%.
-
-
-
CSIDL_CONTROLS
-
The virtual folder that contains icons for the Control Panel items.
-
-
-
CSIDL_COOKIES
-
The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.
-
-
-
CSIDL_DESKTOP
-
The virtual folder representing the Windows desktop.
-
-
-
CSIDL_DESKTOPDIRECTORY
-
The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.
-
-
-
CSIDL_DRIVES
-
The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.
-
-
-
CSIDL_FAVORITES
-
The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.
-
-
-
CSIDL_HISTORY
-
The file-system directory that serves as a common repository for Internet history items.
-
-
-
CSIDL_INTERNET
-
A virtual folder for Internet Explorer.
-
-
-
CSIDL_INTERNET_CACHE
-
The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files
-
-
-
CSIDL_LOCAL_APPDATA
-
The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.
-
-
-
CSIDL_MYDOCUMENTS
-
The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.
-
-
-
CSIDL_MYMUSIC
-
The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.
-
-
-
CSIDL_MYPICTURES
-
The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.
-
-
-
CSIDL_MYVIDEO
-
The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.
-
-
-
CSIDL_NETHOOD
-
A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.
-
-
-
CSIDL_NETWORK
-
A virtual folder representing My Network Places, the root of the network namespace hierarchy.
-
-
-
CSIDL_PERSONAL
-
The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.
-
A typical path is C:\Documents and Settings\username\My Documents.
-
-
-
CSIDL_PLAYLISTS
-
The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.
-
-
-
CSIDL_PRINTERS
-
The virtual folder that contains installed printers.
-
-
-
CSIDL_PRINTHOOD
-
The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.
-
-
-
CSIDL_PROFILE
-
The user's profile folder. A typical path is C:\Users\Username.
-
-
-
CSIDL_PROGRAMS
-
The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.
-
-
-
CSIDL_RECENT
-
The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.
-
-
-
CSIDL_SENDTO
-
The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.
-
-
-
CSIDL_STARTMENU
-
The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.
-
-
-
CSIDL_STARTUP
-
The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
-
-
-
CSIDL_TEMPLATES
-
The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.
-
-
-
HOMEPATH
-
Same as the standard environment variable.
-
-
-
TEMP
-
The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.
-
-
-
TMP
-
The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.
-
-
-
USERPROFILE
-
Same as CSIDL_PROFILE.
-
-
-
USERSID
-
Represents the current user-account security identifier (SID). For example,
-
S-1-5-21-1714567821-1326601894-715345443-1026.
-
-
-
-
-
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Recognized Environment Variables (Windows 10)
+description: Learn how to use environment variables to identify folders that may be different on different computers.
+ms.assetid: 2b0ac412-e131-456e-8f0c-c26249b5f3df
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Recognized Environment Variables
+
+
+When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\<Username>\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file.
+
+## In This Topic
+
+
+- [Variables that are processed for the operating system and in the context of each user](#bkmk-1)
+
+- [Variables that are recognized only in the user context](#bkmk-2)
+
+## Variables that are processed for the operating system and in the context of each user
+
+
+You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`.
+
+
+
+
+
+
+
+
+
Variable
+
Explanation
+
+
+
+
+
ALLUSERSAPPDATA
+
Same as CSIDL_COMMON_APPDATA.
+
+
+
ALLUSERSPROFILE
+
Refers to %PROFILESFOLDER%\Public or %PROFILESFOLDER%\all users.
+
+
+
COMMONPROGRAMFILES
+
Same as CSIDL_PROGRAM_FILES_COMMON.
+
+
+
COMMONPROGRAMFILES(X86)
+
Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.
+
+
+
CSIDL_COMMON_ADMINTOOLS
+
Version 10.0. The file-system directory that contains administrative tools for all users of the computer.
+
+
+
CSIDL_COMMON_ALTSTARTUP
+
The file-system directory that corresponds to the non-localized Startup program group for all users.
+
+
+
CSIDL_COMMON_APPDATA
+
The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.
+
+
+
CSIDL_COMMON_DESKTOPDIRECTORY
+
The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.
+
+
+
CSIDL_COMMON_DOCUMENTS
+
The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.
+
+
+
CSIDL_COMMON_FAVORITES
+
The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.
+
+
+
CSIDL_COMMON_MUSIC
+
The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.
+
+
+
CSIDL_COMMON_PICTURES
+
The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.
+
+
+
CSIDL_COMMON_PROGRAMS
+
The file-system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.
+
+
+
CSIDL_COMMON_STARTMENU
+
The file-system directory that contains the programs and folders which appear on the Start menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.
+
+
+
CSIDL_COMMON_STARTUP
+
The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.
+
+
+
CSIDL_COMMON_TEMPLATES
+
The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.
+
+
+
CSIDL_COMMON_VIDEO
+
The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.
+
+
+
CSIDL_DEFAULT_APPDATA
+
Refers to the Appdata folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_LOCAL_APPDATA
+
Refers to the local Appdata folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_COOKIES
+
Refers to the Cookies folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_CONTACTS
+
Refers to the Contacts folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_DESKTOP
+
Refers to the Desktop folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_DOWNLOADS
+
Refers to the Downloads folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_FAVORITES
+
Refers to the Favorites folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_HISTORY
+
Refers to the History folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_INTERNET_CACHE
+
Refers to the Internet Cache folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_PERSONAL
+
Refers to the Personal folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_MYDOCUMENTS
+
Refers to the My Documents folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_MYPICTURES
+
Refers to the My Pictures folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_MYMUSIC
+
Refers to the My Music folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_MYVIDEO
+
Refers to the My Videos folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_RECENT
+
Refers to the Recent folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_SENDTO
+
Refers to the Send To folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_STARTMENU
+
Refers to the Start Menu folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_PROGRAMS
+
Refers to the Programs folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_STARTUP
+
Refers to the Startup folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_TEMPLATES
+
Refers to the Templates folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_DEFAULT_QUICKLAUNCH
+
Refers to the Quick Launch folder inside %DEFAULTUSERPROFILE%.
+
+
+
CSIDL_FONTS
+
A virtual folder containing fonts. A typical path is C:\Windows\Fonts.
+
+
+
CSIDL_PROGRAM_FILESX86
+
The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).
+
+
+
CSIDL_PROGRAM_FILES_COMMONX86
+
A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.
+
+
+
CSIDL_PROGRAM_FILES
+
The Program Files folder. A typical path is C:\Program Files.
+
+
+
CSIDL_PROGRAM_FILES_COMMON
+
A folder for components that are shared across applications. A typical path is C:\Program Files\Common.
+
+
+
CSIDL_RESOURCES
+
The file-system directory that contains resource data. A typical path is C:\Windows\Resources.
+
+
+
CSIDL_SYSTEM
+
The Windows System folder. A typical path is C:\Windows\System32.
+
+
+
CSIDL_WINDOWS
+
The Windows directory or system root. This corresponds to the %WINDIR% or %SYSTEMROOT% environment variables. A typical path is C:\Windows.
+
+
+
DEFAULTUSERPROFILE
+
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile].
+
+
+
PROFILESFOLDER
+
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory].
+
+
+
PROGRAMFILES
+
Same as CSIDL_PROGRAM_FILES.
+
+
+
PROGRAMFILES(X86)
+
Refers to the C:\Program Files (x86) folder on 64-bit systems.
+
+
+
SYSTEM
+
Refers to %WINDIR%\system32.
+
+
+
SYSTEM16
+
Refers to %WINDIR%\system.
+
+
+
SYSTEM32
+
Refers to %WINDIR%\system32.
+
+
+
SYSTEMPROFILE
+
Refers to the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath].
+
+
+
SYSTEMROOT
+
Refers to the root of the system drive.
+
+
+
WINDIR
+
Refers to the Windows folder located on the system drive.
+
+
+
+
+
+
+## Variables that are recognized only in the user context
+
+
+You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`.
+
+
+
+
+
+
+
+
+
Variable
+
Explanation
+
+
+
+
+
APPDATA
+
Same as CSIDL_APPDATA.
+
+
+
CSIDL_ADMINTOOLS
+
The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.
+
+
+
CSIDL_ALTSTARTUP
+
The file-system directory that corresponds to the user's non-localized Startup program group.
+
+
+
CSIDL_APPDATA
+
The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.
+
+
+
CSIDL_BITBUCKET
+
The virtual folder that contains the objects in the user's Recycle Bin.
+
+
+
CSIDL_CDBURN_AREA
+
The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.
+
+
+
CSIDL_CONNECTIONS
+
The virtual folder representing Network Connections that contains network and dial-up connections.
+
+
+
CSIDL_CONTACTS
+
This refers to the Contacts folder in %CSIDL_PROFILE%.
+
+
+
CSIDL_CONTROLS
+
The virtual folder that contains icons for the Control Panel items.
+
+
+
CSIDL_COOKIES
+
The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.
+
+
+
CSIDL_DESKTOP
+
The virtual folder representing the Windows desktop.
+
+
+
CSIDL_DESKTOPDIRECTORY
+
The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.
+
+
+
CSIDL_DRIVES
+
The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.
+
+
+
CSIDL_FAVORITES
+
The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.
+
+
+
CSIDL_HISTORY
+
The file-system directory that serves as a common repository for Internet history items.
+
+
+
CSIDL_INTERNET
+
A virtual folder for Internet Explorer.
+
+
+
CSIDL_INTERNET_CACHE
+
The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files
+
+
+
CSIDL_LOCAL_APPDATA
+
The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.
+
+
+
CSIDL_MYDOCUMENTS
+
The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.
+
+
+
CSIDL_MYMUSIC
+
The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.
+
+
+
CSIDL_MYPICTURES
+
The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.
+
+
+
CSIDL_MYVIDEO
+
The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.
+
+
+
CSIDL_NETHOOD
+
A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.
+
+
+
CSIDL_NETWORK
+
A virtual folder representing My Network Places, the root of the network namespace hierarchy.
+
+
+
CSIDL_PERSONAL
+
The virtual folder representing the My Documents desktop item. This is equivalent to CSIDL_MYDOCUMENTS.
+
A typical path is C:\Documents and Settings\username\My Documents.
+
+
+
CSIDL_PLAYLISTS
+
The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.
+
+
+
CSIDL_PRINTERS
+
The virtual folder that contains installed printers.
+
+
+
CSIDL_PRINTHOOD
+
The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.
+
+
+
CSIDL_PROFILE
+
The user's profile folder. A typical path is C:\Users\Username.
+
+
+
CSIDL_PROGRAMS
+
The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.
+
+
+
CSIDL_RECENT
+
The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.
+
+
+
CSIDL_SENDTO
+
The file-system directory that contains Send To menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.
+
+
+
CSIDL_STARTMENU
+
The file-system directory that contains Start menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.
+
+
+
CSIDL_STARTUP
+
The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
+
+
+
CSIDL_TEMPLATES
+
The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.
+
+
+
HOMEPATH
+
Same as the standard environment variable.
+
+
+
TEMP
+
The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.
+
+
+
TMP
+
The temporary folder on the computer. A typical path is %USERPROFILE%\AppData\Local\Temp.
+
+
+
USERPROFILE
+
Same as CSIDL_PROFILE.
+
+
+
USERSID
+
Represents the current user-account security identifier (SID). For example,
+
S-1-5-21-1714567821-1326601894-715345443-1026.
+
+
+
+
+
+
+## Related topics
+
+
+[USMT XML Reference](usmt-xml-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index c5bcd4193c..7e00f19577 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -1,77 +1,78 @@
----
-title: User State Migration Toolkit (USMT) Reference (Windows 10)
-description: User State Migration Toolkit (USMT) Reference
-ms.assetid: 2135dbcf-de49-4cea-b2fb-97dd016e1a1a
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Toolkit (USMT) Reference
-
-
-## In This Section
-
-
-
Find requirements, best practices, and other considerations for performing a migration offline.
+
+
+
+
+
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index 22f64e513e..facc5fef91 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -1,6 +1,6 @@
---
title: Reroute Files and Settings (Windows 10)
-description: Reroute Files and Settings
+description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines to reroute files and settings.
ms.assetid: 905e6a24-922c-4549-9732-60fa11862a6c
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index eaaa49a5d4..4866b61aaf 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -1,50 +1,51 @@
----
-title: USMT Resources (Windows 10)
-description: USMT Resources
-ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# USMT Resources
-
-
-## USMT Online Resources
-
-
-- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx)
-
-- Microsoft Visual Studio
-
- - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®.
-
- For more information about how to use the schema with your XML authoring environment, see the environment’s documentation.
-
-- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365)
-
-- Forums:
-
- - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386)
-
- - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388)
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-
-
-
-
-
-
-
-
-
+---
+title: USMT Resources (Windows 10)
+description: Learn about User State Migration Tool (USMT) online resources, including Microsoft Visual Studio and forums.
+ms.assetid: a0b266c7-4bcb-49f1-b63c-48c6ace86b43
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# USMT Resources
+
+
+## USMT Online Resources
+
+
+- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx)
+
+- Microsoft Visual Studio
+
+ - You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®.
+
+ For more information about how to use the schema with your XML authoring environment, see the environment’s documentation.
+
+- [Ask the Directory Services Team blog](https://go.microsoft.com/fwlink/p/?LinkId=226365)
+
+- Forums:
+
+ - [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386)
+
+ - [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388)
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md
index c137197a5c..ba8e6da7c1 100644
--- a/windows/deployment/usmt/usmt-return-codes.md
+++ b/windows/deployment/usmt/usmt-return-codes.md
@@ -1,786 +1,787 @@
----
-title: Return Codes (Windows 10)
-description: Return Codes
-ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Return Codes
-
-
-This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error.
-
-Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
-
-## In This Topic
-
-
-[USMT Return Codes](#bkmk-returncodes)
-
-[USMT Error Messages](#bkmk-errormessages)
-
-[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors)
-
-## USMT Return Codes
-
-
-If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
-
-Return codes are grouped into the following broad categories that describe their area of error reporting:
-
-Success or User Cancel
-
-Invalid Command Lines
-
-Setup and Initialization
-
-Non-fatal Errors
-
-Fatal Errors
-
-As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
-
-## USMT Error Messages
-
-
-Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received.
-
-You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060).
-
-## Troubleshooting Return Codes and Error Messages
-
-
-The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
-
-
-
-
-
-
-
-
-
-
-
-
Return code value
-
Return code
-
Error message
-
Troubleshooting, mitigation, workarounds
-
Category
-
-
-
-
-
0
-
USMT_SUCCESS
-
Successful run
-
Not applicable
-
Success or Cancel
-
-
-
1
-
USMT_DISPLAY_HELP
-
Command line help requested
-
Not applicable
-
Success or Cancel
-
-
-
2
-
USMT_STATUS_CANCELED
-
Gather was aborted because of an EFS file
-
Not applicable
-
-
-
-
-
-
User chose to cancel (such as pressing CTRL+C)
-
Not applicable
-
Success or Cancel
-
-
-
3
-
USMT_WOULD_HAVE_FAILED
-
At least one error was skipped as a result of /c
-
Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.
-
-
-
-
11
-
USMT_INVALID_PARAMETERS
-
/all conflicts with /ui, /ue or /uel
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/auto expects an optional parameter for the script folder
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/encrypt can't be used with /nocompress
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/encrypt requires /key or /keyfile
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/genconfig can't be used with most other options
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/genmigxml can't be used with most other options
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/hardlink requires /nocompress
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/key and /keyfile both specified
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/key or /keyfile used without enabling encryption
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/lae is only used with /lac
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/listfiles cannot be used with /p
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/offline requires a valid path to an XML file describing offline paths
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/offlinewindir requires a valid path to offline windows folder
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
/offlinewinold requires a valid path to offline windows folder
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
A command was already specified
-
Verify that the command-line syntax is correct and that there are no duplicate commands.
-
-
-
-
-
-
An option argument is missing
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
An option is specified more than once and is ambiguous
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Command line arguments are required. Specify /? for options.
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Command line option is not valid
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
EFS parameter specified is not valid for /efs
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
File argument is invalid for /genconfig
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
File argument is invalid for /genmigxml
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Invalid space estimate path. Check the parameters and/or file system permissions
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
List file path argument is invalid for /listfiles
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Retry argument must be an integer
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Settings store argument specified is invalid
-
Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
-
-
Specified encryption algorithm is not supported
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The /efs:hardlink requires /hardlink
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The store parameter is required but not specified
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The source-to-target domain mapping is invalid for /md
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
The source-to-target user account mapping is invalid for /mu
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Undefined or incomplete command line option
-
Review ScanState log or LoadState log for details about command-line errors.
-
Invalid Command Lines
-
-
-
-
-
Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
User exclusion argument is invalid
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Volume shadow copy feature is not supported with a hardlink store
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
-
-
Wait delay argument must be an integer
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
12
-
USMT_ERROR_OPTION_PARAM_TOO_LARGE
-
Command line arguments cannot exceed 256 characters
-
Review ScanState log or LoadState log for details about command-line errors.
-
Invalid Command Lines
-
-
-
-
-
Specified settings store path exceeds the maximum allowed length of 256 characters
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
13
-
USMT_INIT_LOGFILE_FAILED
-
Log path argument is invalid for /l
-
When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.
-
Invalid Command Lines
-
-
-
14
-
USMT_ERROR_USE_LAC
-
Unable to create a local account because /lac was not specified
-
When creating local accounts, the command-line options /lac and /lae should be used.
-
Invalid Command Lines
-
-
-
26
-
USMT_INIT_ERROR
-
Multiple Windows installations found
-
Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.
-
Setup and Initialization
-
-
-
-
-
Software malfunction or unknown exception
-
Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.
-
-
-
-
-
-
Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries
-
Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.
-
-
-
-
27
-
USMT_INVALID_STORE_LOCATION
-
A store path can't be used because an existing store exists; specify /o to overwrite
-
Specify /o to overwrite an existing intermediate or migration store.
-
Setup and Initialization
-
-
-
-
-
A store path is missing or has incomplete data
-
Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
-
-
An error occurred during store creation
-
Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.
-
-
-
-
-
-
An inappropriate device such as a floppy disk was specified for the store
-
Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
-
-
Invalid store path; check the store parameter and/or file system permissions
-
Invalid store path; check the store parameter and/or file system permissions
-
-
-
-
-
-
The file layout and/or file content is not recognized as a valid store
-
Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.
-
-
-
-
-
-
The store path holds a store incompatible with the current USMT version
-
Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
-
-
The store save location is read-only or does not support a requested storage option
-
Make sure that the store path is accessible and that the proper permission levels are set.
-
-
-
-
28
-
USMT_UNABLE_GET_SCRIPTFILES
-
Script file is invalid for /i
-
Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.
-
Setup and Initialization
-
-
-
-
-
Unable to find a script file specified by /i
-
Verify the location of your script files, and ensure that the command-line options are correct.
-
-
-
-
29
-
USMT_FAILED_MIGSTARTUP
-
A minimum of 250 MB of free space is required for temporary files
-
Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.
-
Setup and Initialization
-
-
-
-
-
Another process is preventing migration; only one migration tool can run at a time
-
Check the ScanState log file for migration .xml file errors.
-
-
-
-
-
-
Failed to start main processing, look in log for system errors or check the installation
-
Check the ScanState log file for migration .xml file errors.
-
-
-
-
-
-
Migration failed because of an XML error; look in the log for specific details
-
Check the ScanState log file for migration .xml file errors.
-
-
-
-
-
-
Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table
-
Check the ScanState log file for migration .xml file errors.
-
-
-
-
31
-
USMT_UNABLE_FINDMIGUNITS
-
An error occurred during the discover phase; the log should have more specific information
-
Check the ScanState log file for migration .xml file errors.
-
Setup and Initialization
-
-
-
32
-
USMT_FAILED_SETMIGRATIONTYPE
-
An error occurred processing the migration system
-
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
-
Setup and Initialization
-
-
-
33
-
USMT_UNABLE_READKEY
-
Error accessing the file specified by the /keyfile parameter
-
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
-
Setup and Initialization
-
-
-
-
-
The encryption key must have at least one character
-
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
-
-
-
-
34
-
USMT_ERROR_INSUFFICIENT_RIGHTS
-
Directory removal requires elevated privileges
-
Log on as Administrator, and run with elevated privileges.
-
Setup and Initialization
-
-
-
-
-
No rights to create user profiles; log in as Administrator; run with elevated privileges
-
Log on as Administrator, and run with elevated privileges.
-
-
-
-
-
-
No rights to read or delete user profiles; log in as Administrator, run with elevated privileges
-
Log on as Administrator, and run with elevated privileges.
-
-
-
-
35
-
USMT_UNABLE_DELETE_STORE
-
A reboot is required to remove the store
-
Reboot to delete any files that could not be deleted when the command was executed.
-
Setup and Initialization
-
-
-
-
-
A store path can't be used because it contains data that could not be overwritten
-
A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.
-
-
-
-
-
-
There was an error removing the store
-
Review ScanState log or LoadState log for details about command-line errors.
-
-
-
-
36
-
USMT_ERROR_UNSUPPORTED_PLATFORM
-
Compliance check failure; please check the logs for details
-
Investigate whether there is an active temporary profile on the system.
-
Setup and Initialization
-
-
-
-
-
Use of /offline is not supported during apply
-
The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).
-
-
-
-
-
-
Use /offline to run gather on this platform
-
The /offline command was not used while running in WinPE.
-
-
-
-
37
-
USMT_ERROR_NO_INVALID_KEY
-
The store holds encrypted data but the correct encryption key was not provided
-
Verify that you have included the correct encryption /key or /keyfile.
-
Setup and Initialization
-
-
-
38
-
USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE
-
An error occurred during store access
-
Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.
-
Setup and Initialization
-
-
-
39
-
USMT_UNABLE_TO_READ_CONFIG_FILE
-
Error reading Config.xml
-
Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.
-
Setup and Initialization
-
-
-
-
-
File argument is invalid for /config
-
Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.
-
-
-
-
40
-
USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG
-
Error writing to the progress log
-
The Progress log could not be created. Verify that the location is valid and that you have write access.
-
Setup and Initialization
-
-
-
-
-
Progress log argument is invalid for /progress
-
The Progress log could not be created. Verify that the location is valid and that you have write access.
-
-
-
-
41
-
USMT_PREFLIGHT_FILE_CREATION_FAILED
-
Can't overwrite existing file
-
The Progress log could not be created. Verify that the location is valid and that you have write access.
-
Setup and Initialization
-
-
-
-
-
Invalid space estimate path. Check the parameters and/or file system permissions
-
Review ScanState log or LoadState log for details about command-line errors.
USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.
-
Non-fatal Errors
-
-
-
71
-
USMT_INIT_OPERATING_ENVIRONMENT_FAILED
-
A Windows Win32 API error occurred
-
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
-
Fatal Errors
-
-
-
-
-
An error occurred when attempting to initialize the diagnostic mechanisms such as the log
-
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
Failed to record diagnostic information
-
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
Unable to start. Make sure you are running USMT with elevated privileges
-
Exit USMT and log in again with elevated privileges.
-
-
-
-
72
-
USMT_UNABLE_DOMIGRATION
-
An error occurred closing the store
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
Fatal Errors
-
-
-
-
-
An error occurred in the apply process
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
An error occurred in the gather process
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
Out of disk space while writing the store
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
Out of temporary disk space on the local system
-
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
-
-
-
-
-
-
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Log Files](usmt-log-files.md)
-
-
-
-
-
-
-
-
-
+---
+title: Return Codes (Windows 10)
+description: Learn about User State Migration Tool (USMT) 10.0 return codes and error messages. Also view a list of USMT return codes and their associated migration steps.
+ms.assetid: e71bbc6b-d5a6-4e48-ad01-af0012b35f22
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Return Codes
+
+
+This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error.
+
+Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
+
+## In This Topic
+
+
+[USMT Return Codes](#bkmk-returncodes)
+
+[USMT Error Messages](#bkmk-errormessages)
+
+[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors)
+
+## USMT Return Codes
+
+
+If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
+
+Return codes are grouped into the following broad categories that describe their area of error reporting:
+
+Success or User Cancel
+
+Invalid Command Lines
+
+Setup and Initialization
+
+Non-fatal Errors
+
+Fatal Errors
+
+As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
+
+## USMT Error Messages
+
+
+Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received.
+
+You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060).
+
+## Troubleshooting Return Codes and Error Messages
+
+
+The following table lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
+
+
+
+
+
+
+
+
+
+
+
+
Return code value
+
Return code
+
Error message
+
Troubleshooting, mitigation, workarounds
+
Category
+
+
+
+
+
0
+
USMT_SUCCESS
+
Successful run
+
Not applicable
+
Success or Cancel
+
+
+
1
+
USMT_DISPLAY_HELP
+
Command line help requested
+
Not applicable
+
Success or Cancel
+
+
+
2
+
USMT_STATUS_CANCELED
+
Gather was aborted because of an EFS file
+
Not applicable
+
+
+
+
+
+
User chose to cancel (such as pressing CTRL+C)
+
Not applicable
+
Success or Cancel
+
+
+
3
+
USMT_WOULD_HAVE_FAILED
+
At least one error was skipped as a result of /c
+
Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.
+
+
+
+
11
+
USMT_INVALID_PARAMETERS
+
/all conflicts with /ui, /ue or /uel
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/auto expects an optional parameter for the script folder
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/encrypt can't be used with /nocompress
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/encrypt requires /key or /keyfile
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/genconfig can't be used with most other options
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/genmigxml can't be used with most other options
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/hardlink requires /nocompress
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/key and /keyfile both specified
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/key or /keyfile used without enabling encryption
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/lae is only used with /lac
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/listfiles cannot be used with /p
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/offline requires a valid path to an XML file describing offline paths
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/offlinewindir requires a valid path to offline windows folder
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
/offlinewinold requires a valid path to offline windows folder
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
A command was already specified
+
Verify that the command-line syntax is correct and that there are no duplicate commands.
+
+
+
+
+
+
An option argument is missing
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
An option is specified more than once and is ambiguous
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Command line arguments are required. Specify /? for options.
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Command line option is not valid
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
EFS parameter specified is not valid for /efs
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
File argument is invalid for /genconfig
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
File argument is invalid for /genmigxml
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Invalid space estimate path. Check the parameters and/or file system permissions
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
List file path argument is invalid for /listfiles
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Retry argument must be an integer
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Settings store argument specified is invalid
+
Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
+
+
Specified encryption algorithm is not supported
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The /efs:hardlink requires /hardlink
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The store parameter is required but not specified
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The source-to-target domain mapping is invalid for /md
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
The source-to-target user account mapping is invalid for /mu
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Undefined or incomplete command line option
+
Review ScanState log or LoadState log for details about command-line errors.
+
Invalid Command Lines
+
+
+
+
+
Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
User exclusion argument is invalid
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Volume shadow copy feature is not supported with a hardlink store
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
+
+
Wait delay argument must be an integer
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
12
+
USMT_ERROR_OPTION_PARAM_TOO_LARGE
+
Command line arguments cannot exceed 256 characters
+
Review ScanState log or LoadState log for details about command-line errors.
+
Invalid Command Lines
+
+
+
+
+
Specified settings store path exceeds the maximum allowed length of 256 characters
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
13
+
USMT_INIT_LOGFILE_FAILED
+
Log path argument is invalid for /l
+
When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.
+
Invalid Command Lines
+
+
+
14
+
USMT_ERROR_USE_LAC
+
Unable to create a local account because /lac was not specified
+
When creating local accounts, the command-line options /lac and /lae should be used.
+
Invalid Command Lines
+
+
+
26
+
USMT_INIT_ERROR
+
Multiple Windows installations found
+
Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid.
+
Setup and Initialization
+
+
+
+
+
Software malfunction or unknown exception
+
Check all loaded .xml files for errors, common error when using /I to load the Config.xml file.
+
+
+
+
+
+
Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries
+
Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping.
+
+
+
+
27
+
USMT_INVALID_STORE_LOCATION
+
A store path can't be used because an existing store exists; specify /o to overwrite
+
Specify /o to overwrite an existing intermediate or migration store.
+
Setup and Initialization
+
+
+
+
+
A store path is missing or has incomplete data
+
Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
+
+
An error occurred during store creation
+
Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.
+
+
+
+
+
+
An inappropriate device such as a floppy disk was specified for the store
+
Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
+
+
Invalid store path; check the store parameter and/or file system permissions
+
Invalid store path; check the store parameter and/or file system permissions
+
+
+
+
+
+
The file layout and/or file content is not recognized as a valid store
+
Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store.
+
+
+
+
+
+
The store path holds a store incompatible with the current USMT version
+
Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
+
+
The store save location is read-only or does not support a requested storage option
+
Make sure that the store path is accessible and that the proper permission levels are set.
+
+
+
+
28
+
USMT_UNABLE_GET_SCRIPTFILES
+
Script file is invalid for /i
+
Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file.
+
Setup and Initialization
+
+
+
+
+
Unable to find a script file specified by /i
+
Verify the location of your script files, and ensure that the command-line options are correct.
+
+
+
+
29
+
USMT_FAILED_MIGSTARTUP
+
A minimum of 250 MB of free space is required for temporary files
+
Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable USMT_WORKING_DIR=<path> to redirect the temporary files working directory.
+
Setup and Initialization
+
+
+
+
+
Another process is preventing migration; only one migration tool can run at a time
+
Check the ScanState log file for migration .xml file errors.
+
+
+
+
+
+
Failed to start main processing, look in log for system errors or check the installation
+
Check the ScanState log file for migration .xml file errors.
+
+
+
+
+
+
Migration failed because of an XML error; look in the log for specific details
+
Check the ScanState log file for migration .xml file errors.
+
+
+
+
+
+
Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table
+
Check the ScanState log file for migration .xml file errors.
+
+
+
+
31
+
USMT_UNABLE_FINDMIGUNITS
+
An error occurred during the discover phase; the log should have more specific information
+
Check the ScanState log file for migration .xml file errors.
+
Setup and Initialization
+
+
+
32
+
USMT_FAILED_SETMIGRATIONTYPE
+
An error occurred processing the migration system
+
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
+
Setup and Initialization
+
+
+
33
+
USMT_UNABLE_READKEY
+
Error accessing the file specified by the /keyfile parameter
+
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
+
Setup and Initialization
+
+
+
+
+
The encryption key must have at least one character
+
Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
+
+
+
+
34
+
USMT_ERROR_INSUFFICIENT_RIGHTS
+
Directory removal requires elevated privileges
+
Log on as Administrator, and run with elevated privileges.
+
Setup and Initialization
+
+
+
+
+
No rights to create user profiles; log in as Administrator; run with elevated privileges
+
Log on as Administrator, and run with elevated privileges.
+
+
+
+
+
+
No rights to read or delete user profiles; log in as Administrator, run with elevated privileges
+
Log on as Administrator, and run with elevated privileges.
+
+
+
+
35
+
USMT_UNABLE_DELETE_STORE
+
A reboot is required to remove the store
+
Reboot to delete any files that could not be deleted when the command was executed.
+
Setup and Initialization
+
+
+
+
+
A store path can't be used because it contains data that could not be overwritten
+
A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.
+
+
+
+
+
+
There was an error removing the store
+
Review ScanState log or LoadState log for details about command-line errors.
+
+
+
+
36
+
USMT_ERROR_UNSUPPORTED_PLATFORM
+
Compliance check failure; please check the logs for details
+
Investigate whether there is an active temporary profile on the system.
+
Setup and Initialization
+
+
+
+
+
Use of /offline is not supported during apply
+
The /offline command was not used while running in the Windows Preinstallation Environment (WinPE).
+
+
+
+
+
+
Use /offline to run gather on this platform
+
The /offline command was not used while running in WinPE.
+
+
+
+
37
+
USMT_ERROR_NO_INVALID_KEY
+
The store holds encrypted data but the correct encryption key was not provided
+
Verify that you have included the correct encryption /key or /keyfile.
+
Setup and Initialization
+
+
+
38
+
USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE
+
An error occurred during store access
+
Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.
+
Setup and Initialization
+
+
+
39
+
USMT_UNABLE_TO_READ_CONFIG_FILE
+
Error reading Config.xml
+
Review ScanState log or LoadState log for details about command-line errors in the Config.xml file.
+
Setup and Initialization
+
+
+
+
+
File argument is invalid for /config
+
Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line.
+
+
+
+
40
+
USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG
+
Error writing to the progress log
+
The Progress log could not be created. Verify that the location is valid and that you have write access.
+
Setup and Initialization
+
+
+
+
+
Progress log argument is invalid for /progress
+
The Progress log could not be created. Verify that the location is valid and that you have write access.
+
+
+
+
41
+
USMT_PREFLIGHT_FILE_CREATION_FAILED
+
Can't overwrite existing file
+
The Progress log could not be created. Verify that the location is valid and that you have write access.
+
Setup and Initialization
+
+
+
+
+
Invalid space estimate path. Check the parameters and/or file system permissions
+
Review ScanState log or LoadState log for details about command-line errors.
USMT exited but can continue with the /c command-line option, with the optional configurable <ErrorControl> section or by using the /vsc command-line option.
+
Non-fatal Errors
+
+
+
71
+
USMT_INIT_OPERATING_ENVIRONMENT_FAILED
+
A Windows Win32 API error occurred
+
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
+
Fatal Errors
+
+
+
+
+
An error occurred when attempting to initialize the diagnostic mechanisms such as the log
+
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
Failed to record diagnostic information
+
Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
Unable to start. Make sure you are running USMT with elevated privileges
+
Exit USMT and log in again with elevated privileges.
+
+
+
+
72
+
USMT_UNABLE_DOMIGRATION
+
An error occurred closing the store
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
Fatal Errors
+
+
+
+
+
An error occurred in the apply process
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
An error occurred in the gather process
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
Out of disk space while writing the store
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
Out of temporary disk space on the local system
+
Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details.
+
+
+
+
+
+
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+
+[Log Files](usmt-log-files.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 83afe8628b..95c2a5e5ba 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -1,873 +1,862 @@
----
-title: ScanState Syntax (Windows 10)
-description: ScanState Syntax
-ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# ScanState Syntax
-
-
-The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
-
-## In This Topic
-
-
-[Before You Begin](#bkmk-beforeyoubegin)
-
-[Syntax](#bkmk-syntax)
-
-[Storage Options](#bkmk-storageoptions)
-
-[Migration Rule Options](#bkmk-migrationruleoptions)
-
-[Monitoring Options](#bkmk-monitoringoptions)
-
-[User Options](#bkmk-useroptions)
-
-[Encrypted File Options](#bkmk-efs)
-
-[Incompatible Command-Line Options](#bkmk-iclo)
-
-## Before You Begin
-
-
-Before you run the **ScanState** command, note the following:
-
-- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials.
-
-- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message.
-
-- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md).
-
-- Unless otherwise noted, you can use each option only once when running a tool on the command line.
-
-- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration.
-
-- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible.
-
-- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan.
-
-## Syntax
-
-
-This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator.
-
-The **ScanState** command's syntax is:
-
-scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
-
-For example:
-
-To create a Config.xml file in the current directory, use:
-
-`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
-
-To create an encrypted store using the Config.xml file and the default migration .xml files, use:
-
-`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"`
-
-## Storage Options
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Description
-
-
-
-
-
StorePath
-
Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.
-
-
-
/apps
-
Scans the image for apps and includes them and their associated registry settings.
-
-
-
/ppkg [<FileName>]
-
Exports to a specific file location.
-
-
-
/o
-
Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.
-
-
-
/vsc
-
This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.
-
This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.
-
-
-
/hardlink
-
Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.
-
-
-
/encrypt [{/key:<KeyString> | /keyfile:<file>]}
-
Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:
-
-
/key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.
-
/keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.
-
-
We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.
-
-Important
You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.
-
-
-
-
-
The following example shows the ScanState command and the /key option:
The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.
-
-
-
/nocompress
-
Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.
-
The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.
-
-
-
-## Run the ScanState Command on an Offline Windows System
-
-
-You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows.
-
-There are several benefits to running the **ScanState** command on an offline Windows image, including:
-
-- **Improved Performance.**
-
- Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly.
-
-- **Simplified end to end deployment process.**
-
- Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed.
-
-- **Improved success of migration.**
-
- The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
-
-- **Ability to recover an unbootable computer.**
-
- It might be possible to recover and migrate data from an unbootable computer.
-
-## Offline Migration Options
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Definition
-
-
-
-
-
/offline:"path to an offline.xml file"
-
This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.
-
-
-
/offlinewindir:"path to a Windows directory"
-
This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.
-
-
-
/offlinewinold:"Windows.old directory"
-
This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.
-
-
-
-
-
-
-## Migration Rule Options
-
-
-USMT provides the following options to specify what files you want to migrate.
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Description
-
-
-
-
-
/i:[Path]FileName
-
(include)
-
Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.
-
-
-
/genconfig:[Path]FileName
-
(Generate Config.xml)
-
Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.
-
After you create this file, you will need to make use of it with the ScanState command using the /config option.
-
The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
-
Examples:
-
-
The following example creates a Config.xml file in the current directory:
Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.
-
The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:
This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml/i:MigApp.xml /v:5.
-
-
-
/genmigxml:path to a file
-
This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.
-
-
-
/targetwindows8
-
Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:
-
-
To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.
-
To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.
-
-
-
-
/targetwindows7
-
Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:
-
-
To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.
-
To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.
-
-
-
-
/localonly
-
Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.
-
Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.
-
The /localonly command-line option includes or excludes data in the migration as identified in the following table:
-
-
-
-
-
-
-
-
Drive type
-
Behavior with /localonly
-
-
-
-
-
Removable drives such as a USB flash drive
-
Excluded
-
-
-
Network drives
-
Excluded
-
-
-
Fixed drives
-
Included
-
-
-
-
-
-
-
-
-
-
-## Monitoring Options
-
-
-USMT provides several options that you can use to analyze problems that occur during migration.
-
-**Note**
-The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
-
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Description
-
-
-
-
-
/listfiles:<FileName>
-
You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.
-
-
-
/l:[Path]FileName
-
Specifies the location and name of the ScanState log.
-
You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.
-
If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.
-
-
-
/v:<VerbosityLevel>
-
(Verbosity)
-
Enables verbose output in the ScanState log file. The default value is 0.
-
You can set the VerbosityLevel to one of the following levels:
Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.
-
You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.
-
-
-
/r:<TimesToRetry>
-
(Retry)
-
Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.
-
While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.
-
-
-
/w:<SecondsBeforeRetry>
-
(Wait)
-
Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.
-
-
-
/p:<pathToFile>
-
When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.
-
-
-
/? or /help
-
Displays Help at the command line.
-
-
-
-
-
-
-## User Options
-
-
-By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md).
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Description
-
-
-
-
-
/all
-
Migrates all of the users on the computer.
-
USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.
-
-
-
/ui:<DomainName>\<UserName>
-
or
-
/ui:<ComputerName>\<LocalUserName>
-
(User include)
-
Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
-
-Note
If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.
-
-
-
-
-
For example:
-
-
To include only User2 from the Fabrikam domain, type:
-
/ue:*\* /ui:fabrikam\user2
-
To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
-
/uel:30 /ui:fabrikam\*
-
In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.
-
-
For more examples, see the descriptions of the /ue and /ui options in this table.
-
-
-
/uel:<NumberOfDays>
-
or
-
/uel:<YYYY/MM/DD>
-
or
-
/uel:0
-
(User exclude based on last logon)
-
Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.
-
You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.
-
-Note
The /uel option is not valid in offline migrations.
-
-
-
-
-
-
/uel:0 migrates any users who are currently logged on.
-
/uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
-
/uel:1 migrates users whose account has been modified within the last 24 hours.
-
/uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.
Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.
-
-
-
-## How to Use /ui and /ue
-
-
-The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users.
-
-
-
-
-
-
-
-
-
Behavior
-
Command
-
-
-
-
-
Exclude the user named User One in the Fabrikam domain.
-
/ue:"fabrikam\user one"
-
-
-
Exclude the user named User1 in the Fabrikam domain.
-
/ue:fabrikam\user1
-
-
-
Exclude the local user named User1.
-
/ue:%computername%\user1
-
-
-
Exclude all domain users.
-
/ue:Domain\*
-
-
-
Exclude all local users.
-
/ue:%computername%\*
-
-
-
Exclude users in all domains named User1, User2, and so on.
-
/ue:*\user*
-
-
-
-
-
-
-## Using the Options Together
-
-
-You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated.
-
-The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option.
-
-The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
-
-
-
-
-
-
-
-
-
Behavior
-
Command
-
-
-
-
-
Include only User2 from the Fabrikam domain and exclude all other users.
-
/ue:*\* /ui:fabrikam\user2
-
-
-
Include only the local user named User1 and exclude all other users.
-
/ue:*\* /ui:user1
-
-
-
Include only the domain users from Contoso, except Contoso\User1.
-
This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
-
-
On the ScanState command line, type: /ue:*\* /ui:contoso\*
-
On the LoadState command line, type: /ue:contoso\user1
-
-
-
-
Include only local (non-domain) users.
-
/ue:*\* /ui:%computername%\*
-
-
-
-
-
-
-## Encrypted File Options
-
-
-You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior.
-
-For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
-
-**Note**
-EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
-
-
-
-**Caution**
-Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
-
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
Explanation
-
-
-
-
-
/efs:hardlink
-
Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.
-
-
-
/efs:abort
-
Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.
-
-
-
/efs:skip
-
Causes the ScanState command to ignore EFS files.
-
-
-
/efs:decryptcopy
-
Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.
-
-
-
/efs:copyraw
-
Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.
All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.
-
-
-
-
-
-
-
-
-
-
-## Incompatible Command-Line Options
-
-
-The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
-
-
-
-
-
-
-
-
-
-
-
-
Command-Line Option
-
/keyfile
-
/nocompress
-
/genconfig
-
/all
-
-
-
-
-
/i
-
-
-
-
-
-
-
/o
-
-
-
-
-
-
-
/v
-
-
-
-
-
-
-
/nocompress
-
-
-
X
-
N/A
-
-
-
/localonly
-
-
-
X
-
-
-
-
/key
-
X
-
-
X
-
-
-
-
/encrypt
-
Required*
-
X
-
X
-
-
-
-
/keyfile
-
N/A
-
-
X
-
-
-
-
/l
-
-
-
-
-
-
-
/progress
-
-
-
X
-
-
-
-
/r
-
-
-
X
-
-
-
-
/w
-
-
-
X
-
-
-
-
/c
-
-
-
X
-
-
-
-
/p
-
-
-
X
-
N/A
-
-
-
/all
-
-
-
X
-
-
-
-
/ui
-
-
-
X
-
X
-
-
-
/ue
-
-
-
X
-
X
-
-
-
/uel
-
-
-
X
-
X
-
-
-
/efs:<option>
-
-
-
X
-
-
-
-
/genconfig
-
-
-
N/A
-
-
-
-
/config
-
-
-
X
-
-
-
-
<StorePath>
-
-
-
X
-
-
-
-
-
-
-
-**Note**
-You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
-
-
-
-## Related topics
-
-
-[XML Elements Library](usmt-xml-elements-library.md)
-
-
-
-
-
-
-
-
-
+---
+title: ScanState Syntax (Windows 10)
+description: The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
+ms.assetid: 004c755f-33db-49e4-8a3b-37beec1480ea
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# ScanState Syntax
+
+
+The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
+
+## In This Topic
+
+
+[Before You Begin](#bkmk-beforeyoubegin)
+
+[Syntax](#bkmk-syntax)
+
+[Storage Options](#bkmk-storageoptions)
+
+[Migration Rule Options](#bkmk-migrationruleoptions)
+
+[Monitoring Options](#bkmk-monitoringoptions)
+
+[User Options](#bkmk-useroptions)
+
+[Encrypted File Options](#bkmk-efs)
+
+[Incompatible Command-Line Options](#bkmk-iclo)
+
+## Before You Begin
+
+
+Before you run the **ScanState** command, note the following:
+
+- To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials.
+
+- If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message.
+
+- For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md).
+
+- Unless otherwise noted, you can use each option only once when running a tool on the command line.
+
+- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration.
+
+- The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible.
+
+- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan.
+
+## Syntax
+
+
+This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator.
+
+The **ScanState** command's syntax is:
+
+> scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
+
+For example, to create a Config.xml file in the current directory, use:
+
+`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
+
+To create an encrypted store using the Config.xml file and the default migration .xml files, use:
+
+`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"`
+
+## Storage Options
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Description
+
+
+
+
+
StorePath
+
Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.
+
+
+
/apps
+
Scans the image for apps and includes them and their associated registry settings.
+
+
+
/ppkg [<FileName>]
+
Exports to a specific file location.
+
+
+
/o
+
Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the ScanState command will fail if the migration store already contains data. You cannot use this option more than once on a command line.
+
+
+
/vsc
+
This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the <ErrorControl> section.
+
This option can be used only with the ScanState executable file and cannot be combined with the /hardlink option.
+
+
+
/hardlink
+
Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option.
+
+
+
/encrypt [{/key:<KeyString> | /keyfile:<file>]}
+
Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key in one of the following ways:
+
+
/key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.
+
/keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.
+
+
We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.
+
+Important
You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.
+
+
+
+
+
The following example shows the ScanState command and the /key option:
The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.
+
+
+
/nocompress
+
Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.
+
The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.
+
+
+
+## Run the ScanState Command on an Offline Windows System
+
+
+You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows.
+
+There are several benefits to running the **ScanState** command on an offline Windows image, including:
+
+- **Improved Performance.**
+
+ Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly.
+
+- **Simplified end to end deployment process.**
+
+ Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed.
+
+- **Improved success of migration.**
+
+ The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
+
+- **Ability to recover an unbootable computer.**
+
+ It might be possible to recover and migrate data from an unbootable computer.
+
+## Offline Migration Options
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Definition
+
+
+
+
+
/offline:"path to an offline.xml file"
+
This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.
+
+
+
/offlinewindir:"path to a Windows directory"
+
This option specifies the offline Windows directory that the ScanState command gathers user state from. The offline directory can be Windows.old when you run the ScanState command in Windows or a Windows directory when you run the ScanState command in WinPE.
+
+
+
/offlinewinold:"Windows.old directory"
+
This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.
+
+
+
+
+
+
+## Migration Rule Options
+
+
+USMT provides the following options to specify what files you want to migrate.
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Description
+
+
+
+
+
/i:[Path]FileName
+
(include)
+
Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.
+
+
+
/genconfig:[Path]FileName
+
(Generate Config.xml)
+
Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.
+
After you create this file, you will need to make use of it with the ScanState command using the /config option.
+
The only options that you can specify with this option are the /i, /v, and /l options. You cannot specify StorePath, because the /genconfig option does not create a store. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
+
Examples:
+
+
The following example creates a Config.xml file in the current directory:
Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.
+
The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:
This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The /auto option has the same effect as using the following options: /i:MigDocs.xml/i:MigApp.xml /v:5.
+
+
+
/genmigxml:path to a file
+
This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.
+
+
+
/targetwindows8
+
Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:
+
+
To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.
+
To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.
+
+
+
+
/targetwindows7
+
Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:
+
+
To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.
+
To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.
+
+
+
+
/localonly
+
Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.
+
Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.
+
The /localonly command-line option includes or excludes data in the migration as identified in the following table:
+
+
+
+
+
+
+
+
Drive type
+
Behavior with /localonly
+
+
+
+
+
Removable drives such as a USB flash drive
+
Excluded
+
+
+
Network drives
+
Excluded
+
+
+
Fixed drives
+
Included
+
+
+
+
+
+
+
+
+
+
+## Monitoring Options
+
+
+USMT provides several options that you can use to analyze problems that occur during migration.
+
+> [!NOTE]
+> The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
+
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Description
+
+
+
+
+
/listfiles:<FileName>
+
You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.
+
+
+
/l:[Path]FileName
+
Specifies the location and name of the ScanState log.
+
You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.
+
If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.
+
+
+
/v:<VerbosityLevel>
+
(Verbosity)
+
Enables verbose output in the ScanState log file. The default value is 0.
+
You can set the VerbosityLevel to one of the following levels:
Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
When this option is specified, the ScanState command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the ScanState command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the /c option, the ScanState command will exit on the first error.
+
You can use the new <ErrorControl> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /c command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /genconfig option now generates a sample <ErrorControl> section that is enabled by specifying error messages and desired behaviors in the Config.xml file.
+
+
+
/r:<TimesToRetry>
+
(Retry)
+
Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.
+
While storing the user state, the /r option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.
+
+
+
/w:<SecondsBeforeRetry>
+
(Wait)
+
Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.
+
+
+
/p:<pathToFile>
+
When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.
+
+
+
/? or /help
+
Displays Help at the command line.
+
+
+
+
+
+
+## User Options
+
+
+By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md).
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Description
+
+
+
+
+
/all
+
Migrates all of the users on the computer.
+
USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.
+
+
+
/ui:<DomainName>\<UserName>
+
or
+
/ui:<ComputerName>\<LocalUserName>
+
(User include)
+
Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
+
+Note
If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.
+
+
+
+
+
For example:
+
+
To include only User2 from the Fabrikam domain, type:
+
/ue:*\* /ui:fabrikam\user2
+
To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
+
/uel:30 /ui:fabrikam\*
+
In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.
+
+
For more examples, see the descriptions of the /ue and /ui options in this table.
+
+
+
/uel:<NumberOfDays>
+
or
+
/uel:<YYYY/MM/DD>
+
or
+
/uel:0
+
(User exclude based on last logon)
+
Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.
+
You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.
+
+Note
The /uel option is not valid in offline migrations.
+
+
+
+
+
+
/uel:0 migrates any users who are currently logged on.
+
/uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
+
/uel:1 migrates users whose account has been modified within the last 24 hours.
+
/uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.
Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.
+
+
+
+## How to Use /ui and /ue
+
+
+The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users.
+
+
+
+
+
+
+
+
+
Behavior
+
Command
+
+
+
+
+
Exclude the user named User One in the Fabrikam domain.
+
/ue:"fabrikam\user one"
+
+
+
Exclude the user named User1 in the Fabrikam domain.
+
/ue:fabrikam\user1
+
+
+
Exclude the local user named User1.
+
/ue:%computername%\user1
+
+
+
Exclude all domain users.
+
/ue:Domain\*
+
+
+
Exclude all local users.
+
/ue:%computername%\*
+
+
+
Exclude users in all domains named User1, User2, and so on.
+
/ue:*\user*
+
+
+
+
+
+
+## Using the Options Together
+
+
+You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated.
+
+The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option.
+
+The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
+
+
+
+
+
+
+
+
+
Behavior
+
Command
+
+
+
+
+
Include only User2 from the Fabrikam domain and exclude all other users.
+
/ue:*\* /ui:fabrikam\user2
+
+
+
Include only the local user named User1 and exclude all other users.
+
/ue:*\* /ui:user1
+
+
+
Include only the domain users from Contoso, except Contoso\User1.
+
This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
+
+
On the ScanState command line, type: /ue:*\* /ui:contoso\*
+
On the LoadState command line, type: /ue:contoso\user1
+
+
+
+
Include only local (non-domain) users.
+
/ue:*\* /ui:%computername%\*
+
+
+
+
+
+
+## Encrypted File Options
+
+
+You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior.
+
+For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
+
+> [!NOTE]
+> EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
+
+
+> [!CAUTION]
+> Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
+
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
Explanation
+
+
+
+
+
/efs:hardlink
+
Creates a hard link to the EFS file instead of copying it. Use only with the /hardlink and the /nocompress options.
+
+
+
/efs:abort
+
Causes the ScanState command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default.
+
+
+
/efs:skip
+
Causes the ScanState command to ignore EFS files.
+
+
+
/efs:decryptcopy
+
Causes the ScanState command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the ScanState command succeeds, the file will be unencrypted in the migration store, and once you run the LoadState command, the file will be copied to the destination computer.
+
+
+
/efs:copyraw
+
Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.
All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.
+
+
+
+
+
+
+
+
+
+
+## Incompatible Command-Line Options
+
+
+The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
+
+
+
+
+
+
+
+
+
+
+
+
Command-Line Option
+
/keyfile
+
/nocompress
+
/genconfig
+
/all
+
+
+
+
+
/i
+
+
+
+
+
+
+
/o
+
+
+
+
+
+
+
/v
+
+
+
+
+
+
+
/nocompress
+
+
+
+
N/A
+
+
+
/localonly
+
+
+
X
+
+
+
+
/key
+
X
+
+
X
+
+
+
+
/encrypt
+
Required*
+
X
+
X
+
+
+
+
/keyfile
+
N/A
+
+
X
+
+
+
+
/l
+
+
+
+
+
+
+
/progress
+
+
+
X
+
+
+
+
/r
+
+
+
X
+
+
+
+
/w
+
+
+
X
+
+
+
+
/c
+
+
+
X
+
+
+
+
/p
+
+
+
X
+
N/A
+
+
+
/all
+
+
+
X
+
+
+
+
/ui
+
+
+
X
+
X
+
+
+
/ue
+
+
+
X
+
X
+
+
+
/uel
+
+
+
X
+
X
+
+
+
/efs:<option>
+
+
+
X
+
+
+
+
/genconfig
+
+
+
N/A
+
+
+
+
/config
+
+
+
X
+
+
+
+
<StorePath>
+
+
+
X
+
+
+
+
+
+
+> [!NOTE]
+> You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
+
+
+
+## Related topics
+
+
+[XML Elements Library](usmt-xml-elements-library.md)
+
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 183f7bc16e..564ab2c53c 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -1,6 +1,6 @@
---
title: Test Your Migration (Windows 10)
-description: Test Your Migration
+description: Learn about testing your migration plan in a controlled laboratory setting before you deploy it to your entire organization.
ms.assetid: 754af276-8386-4eac-8079-3d1e45964a0d
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index 69321a476c..2e73d33887 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -1,30 +1,31 @@
----
-title: User State Migration Tool (USMT) Overview Topics (Windows 10)
-description: User State Migration Tool (USMT) Overview Topics
-ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Overview Topics
-The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
-
-## In This Section
-
-|Topic |Description|
-|------|-----------|
-|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.|
-|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.|
-|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.|
-
-## Related topics
-- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+---
+title: User State Migration Tool (USMT) Overview Topics (Windows 10)
+description: Learn about User State Migration Tool (USMT) overview topics that describe USMT as a highly customizable user-profile migration experience for IT professionals.
+ms.assetid: 23170271-130b-416f-a7a7-c2f6adc32eee
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Overview Topics
+The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
+
+## In This Section
+
+|Topic |Description|
+|------|-----------|
+|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.|
+|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.|
+|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.|
+
+## Related topics
+- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 085f3892d2..1c629df5ec 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -1,73 +1,74 @@
----
-title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
-description: User State Migration Tool (USMT) Troubleshooting
-ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Troubleshooting
-
-
-The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration.
-
-## In This Section
-
-
-
-
-
-
-## Related topics
-
-
-[USMT Best Practices](usmt-best-practices.md)
-
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-
-[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-
-[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
+description: Learn about topics that address common User State Migration Tool (USMT) 10.0 issues and questions to assist in troubleshooting.
+ms.assetid: 770f45bb-2284-463f-a29c-69c04f437533
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Troubleshooting
+
+
+The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration.
+
+## In This Section
+
+
+
+
+
+
+## Related topics
+
+
+[USMT Best Practices](usmt-best-practices.md)
+
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+
+[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+
+[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 4e9269a29d..d87666c8b6 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -1,351 +1,352 @@
----
-title: UsmtUtils Syntax (Windows 10)
-description: UsmtUtils Syntax
-ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# UsmtUtils Syntax
-
-
-This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities:
-
-- Improve your ability to determine cryptographic options for your migration.
-
-- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock.
-
-- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted.
-
-- Extract files from the compressed migration store when you migrate files and settings to the destination computer.
-
-## In This Topic
-
-
-[Usmtutils.exe](#bkmk-usmtutils-exe)
-
-[Verify Options](#bkmk-verifyoptions)
-
-[Extract Options](#bkmk-extractoptions)
-
-## Usmtutils.exe
-
-
-The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options.
-
-The syntax for UsmtUtils.exe is:
-
-usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\]
-
-
-
-
-
-
-
-
-
Command-line Option
-
Description
-
-
-
-
-
/ec
-
Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.
-
-
-
/rd<storeDir>
-
Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.
-
For example:
-
usmtutils /rd D:\MyHardLinkStore
-
-
-
/y
-
Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.
-
-
-
/verify
-
Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.
-
See Verify Options for syntax and options to use with /verify.
-
-
-
/extract
-
Recovers files from a compressed USMT migration store.
-
See Extract Options for syntax and options to use with /extract.
-
-
-
-
-
-
-## Verify Options
-
-
-Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
-
-The syntax for **/verify** is:
-
-usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\]
-
-
-
-
-
-
-
-
-
Command-line Option
-
Description
-
-
-
-
-
<reportType>
-
Specifies whether to report on all files, corrupted files only, or the status of the catalog.
-
-
Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.
-
all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.
-
failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.
-
Catalog. Returns only the status of the catalog file.
-
-
-
-
/l:
-
<logfilePath>
-
Specifies the location and name of the log file.
-
-
-
/v:<VerbosityLevel>
-
(Verbosity)
-
Enables verbose output in the UsmtUtils log file. The default value is 0.
-
You can set the VerbosityLevel to one of the following levels:
-
-
-
-
-
-
-
-
Level
-
Explanation
-
-
-
-
-
0
-
Only the default errors and warnings are enabled.
-
-
-
1
-
Enables verbose output.
-
-
-
4
-
Enables error and status output.
-
-
-
5
-
Enables verbose and status output.
-
-
-
8
-
Enables error output to a debugger.
-
-
-
9
-
Enables verbose output to a debugger.
-
-
-
12
-
Enables error and status output to a debugger.
-
-
-
13
-
Enables verbose, status, and debugger output.
-
-
-
-
-
-
-
/decrypt<AlgID>/:<KeyString>
-
or
-
/decrypt<AlgID>/:<“Key String”>
-
or
-
/decrypt:<AlgID>/keyfile:<FileName>
-
Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:
-
-
<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
-
<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
-
/key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.
-
/keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.
-
-
-
-Some examples of **/verify** commands:
-
-- `usmtutils /verify D:\MyMigrationStore\store.mig`
-
-- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig`
-
-- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
-
-- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt`
-
-## Extract Options
-
-
-Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
-
-The syntax for **/extract** is:
-
-/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\]
-
-
-
-
-
-
-
-
-
Command-line Option
-
Description
-
-
-
-
-
<filePath>
-
Path to the USMT migration store.
-
For example:
-
D:\MyMigrationStore\USMT\store.mig
-
-
-
<destinationPath>
-
Path to the folder where the tool puts the individual files.
-
-
-
/i:<includePattern>
-
Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.
-
-
-
/e:<excludePattern>
-
Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.
-
-
-
/l:<logfilePath>
-
Specifies the location and name of the log file.
-
-
-
/v:<VerbosityLevel>
-
(Verbosity)
-
Enables verbose output in the UsmtUtils log file. The default value is 0.
-
You can set the VerbosityLevel to one of the following levels:
-
-
-
-
-
-
-
-
Level
-
Explanation
-
-
-
-
-
0
-
Only the default errors and warnings are enabled.
-
-
-
1
-
Enables verbose output.
-
-
-
4
-
Enables error and status output.
-
-
-
5
-
Enables verbose and status output.
-
-
-
8
-
Enables error output to a debugger.
-
-
-
9
-
Enables verbose output to a debugger.
-
-
-
12
-
Enables error and status output to a debugger.
-
-
-
13
-
Enables verbose, status, and debugger output.
-
-
-
-
-
-
-
/decrypt<AlgID>/key:<KeyString>
-
or
-
/decrypt<AlgID>/:<“Key String”>
-
or
-
/decrypt:<AlgID>/keyfile:<FileName>
-
Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:
-
-
<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
-
<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
-
/key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.
-
/keyfile:<FileName> specifies a text (.txt) file that contains the encryption key
-
-
-
-Some examples of **/extract** commands:
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore`
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt`
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt`
-
-- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o`
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
-[Return Codes](usmt-return-codes.md)
-
-
-
-
-
-
-
-
-
+---
+title: UsmtUtils Syntax (Windows 10)
+description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface.
+ms.assetid: cdab7f2d-dd68-4016-b9ed-41ffa743b65c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# UsmtUtils Syntax
+
+
+This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities:
+
+- Improve your ability to determine cryptographic options for your migration.
+
+- Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock.
+
+- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted.
+
+- Extract files from the compressed migration store when you migrate files and settings to the destination computer.
+
+## In This Topic
+
+
+[Usmtutils.exe](#bkmk-usmtutils-exe)
+
+[Verify Options](#bkmk-verifyoptions)
+
+[Extract Options](#bkmk-extractoptions)
+
+## Usmtutils.exe
+
+
+The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options.
+
+The syntax for UsmtUtils.exe is:
+
+usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\] | /extract *<filepath>* *<destinationPath>* \[options\]\]
+
+
+
+
+
+
+
+
+
Command-line Option
+
Description
+
+
+
+
+
/ec
+
Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the /encrypt command before you run the ScanState tool on the source computer.
+
+
+
/rd<storeDir>
+
Removes the directory path specified by the <storeDir> argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes.
+
For example:
+
usmtutils /rd D:\MyHardLinkStore
+
+
+
/y
+
Overrides the accept deletions prompt when used with the /rd option. When you use the /y option with the /rd option, you will not be prompted to accept the deletions before USMT deletes the directories.
+
+
+
/verify
+
Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.
+
See Verify Options for syntax and options to use with /verify.
+
+
+
/extract
+
Recovers files from a compressed USMT migration store.
+
See Extract Options for syntax and options to use with /extract.
+
+
+
+
+
+
+## Verify Options
+
+
+Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
+
+The syntax for **/verify** is:
+
+usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile>*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*<AlgID>*\] {/key:*<keystring>* | /keyfile:*<filename>*}\]
+
+
+
+
+
+
+
+
+
Command-line Option
+
Description
+
+
+
+
+
<reportType>
+
Specifies whether to report on all files, corrupted files only, or the status of the catalog.
+
+
Summary. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.
+
all. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the "CATALOG" of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns "OK" if the catalog file is intact and LoadState can open the migration store and "CORRUPTED" if the migration store is corrupted.
+
failureonly. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.
+
Catalog. Returns only the status of the catalog file.
+
+
+
+
/l:
+
<logfilePath>
+
Specifies the location and name of the log file.
+
+
+
/v:<VerbosityLevel>
+
(Verbosity)
+
Enables verbose output in the UsmtUtils log file. The default value is 0.
+
You can set the VerbosityLevel to one of the following levels:
+
+
+
+
+
+
+
+
Level
+
Explanation
+
+
+
+
+
0
+
Only the default errors and warnings are enabled.
+
+
+
1
+
Enables verbose output.
+
+
+
4
+
Enables error and status output.
+
+
+
5
+
Enables verbose and status output.
+
+
+
8
+
Enables error output to a debugger.
+
+
+
9
+
Enables verbose output to a debugger.
+
+
+
12
+
Enables error and status output to a debugger.
+
+
+
13
+
Enables verbose, status, and debugger output.
+
+
+
+
+
+
+
/decrypt<AlgID>/:<KeyString>
+
or
+
/decrypt<AlgID>/:<“Key String”>
+
or
+
/decrypt:<AlgID>/keyfile:<FileName>
+
Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a /key or /keyfile option as follows:
+
+
<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
+
<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
+
/key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.
+
/keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.
+
+
+
+Some examples of **/verify** commands:
+
+- `usmtutils /verify D:\MyMigrationStore\store.mig`
+
+- `usmtutils /verify:catalog D:\MyMigrationStore\store.mig`
+
+- `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
+
+- `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt`
+
+## Extract Options
+
+
+Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
+
+The syntax for **/extract** is:
+
+/extract *<filePath>* *<destinationPath>* \[/i:*<includePattern>*\] \[/e: *<excludePattern>*\] \[/l: *<logfile>*\] \[/v: *VerbosityLevel>*\] \[/decrypt\[:*<AlgID>*\] {key: *<keystring>* | /keyfile: *<filename>*}\] \[/o\]
+
+
+
+
+
+
+
+
+
Command-line Option
+
Description
+
+
+
+
+
<filePath>
+
Path to the USMT migration store.
+
For example:
+
D:\MyMigrationStore\USMT\store.mig
+
+
+
<destinationPath>
+
Path to the folder where the tool puts the individual files.
+
+
+
/i:<includePattern>
+
Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.
+
+
+
/e:<excludePattern>
+
Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use /i: <includePattern> and /e: <excludePattern> options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns.
+
+
+
/l:<logfilePath>
+
Specifies the location and name of the log file.
+
+
+
/v:<VerbosityLevel>
+
(Verbosity)
+
Enables verbose output in the UsmtUtils log file. The default value is 0.
+
You can set the VerbosityLevel to one of the following levels:
+
+
+
+
+
+
+
+
Level
+
Explanation
+
+
+
+
+
0
+
Only the default errors and warnings are enabled.
+
+
+
1
+
Enables verbose output.
+
+
+
4
+
Enables error and status output.
+
+
+
5
+
Enables verbose and status output.
+
+
+
8
+
Enables error output to a debugger.
+
+
+
9
+
Enables verbose output to a debugger.
+
+
+
12
+
Enables error and status output to a debugger.
+
+
+
13
+
Enables verbose, status, and debugger output.
+
+
+
+
+
+
+
/decrypt<AlgID>/key:<KeyString>
+
or
+
/decrypt<AlgID>/:<“Key String”>
+
or
+
/decrypt:<AlgID>/keyfile:<FileName>
+
Specifies that the /encrypt option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a /key or /keyfile option as follows:
+
+
<AlgID> specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.
+
<AlgID> valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.
+
/key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.
+
/keyfile:<FileName> specifies a text (.txt) file that contains the encryption key
+
+
+
+Some examples of **/extract** commands:
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore`
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt`
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt`
+
+- `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o`
+
+## Related topics
+
+
+[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+
+[Return Codes](usmt-return-codes.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index 4fc36c33bc..2152530861 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -1,429 +1,430 @@
----
-title: What does USMT migrate (Windows 10)
-description: What does USMT migrate
-ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 09/12/2017
-ms.topic: article
----
-
-# What does USMT migrate?
-
-
-## In this topic
-
-
-- [Default migration scripts](#bkmk-defaultmigscripts)
-
-- [User Data](#bkmk-3)
-
-- [Operating-system components](#bkmk-4)
-
-- [Supported applications](#bkmk-2)
-
-- [What USMT does not migrate](#no)
-
-## Default migration scripts
-
-
-The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
-
-- **MigApp.XML.** Rules to migrate application settings.
-
-- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.
-
-- **MigUser.XML.** Rules to migrate user profiles and user data.
-
- MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration.
-
- The following data does not migrate with MigUser.xml:
-
- - Files outside the user profile that don’t match one of the file extensions in MigUser.xml.
-
- - Access control lists (ACLs) for folders outside the user profile.
-
-## User data
-
-
-This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs.
-
-- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following:
-
- My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
-
- >[!IMPORTANT]
- >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
-
-- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
-
- - Shared Documents
-
- - Shared Video
-
- - Shared Music
-
- - Shared desktop files
-
- - Shared Pictures
-
- - Shared Start menu
-
- - Shared Favorites
-
-- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions:
-
- **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.**
-
- **Note**
- The asterisk (\*) stands for zero or more characters.
-
-
-
-- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration.
-
-**Important**
-To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`.
-
-
-
-## Operating-system components
-
-
-USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
-
-The following components are migrated by default using the manifest files:
-
-- Accessibility settings
-
-- Address book
-
-- Command-prompt settings
-
-- \*Desktop wallpaper
-
-- EFS files
-
-- Favorites
-
-- Folder options
-
-- Fonts
-
-- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required.
-
-- \*Windows Internet Explorer® settings
-
-- Microsoft® Open Database Connectivity (ODBC) settings
-
-- Mouse and keyboard settings
-
-- Network drive mapping
-
-- \*Network printer mapping
-
-- \*Offline files
-
-- \*Phone and modem options
-
-- RAS connection and phone book (.pbk) files
-
-- \*Regional settings
-
-- Remote Access
-
-- \*Taskbar settings
-
-- User personal certificates (all)
-
-- Windows Mail.
-
-- \*Windows Media Player
-
-- Windows Rights Management
-
-\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
-
-**Important**
-This list may not be complete. There may be additional components that are migrated.
-
-
-
-**Note**
-Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
-
-
-
-## Supported applications
-
-
-Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
-
-**Note**
-The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office.
-
-
-
-**Note**
-USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate.
-
-
-
-When you specify the MigApp.xml file, USMT migrates the settings for the following applications:
-
-
-
-
-
-
-
-
-
Product
-
Version
-
-
-
-
-
Adobe Acrobat Reader
-
9
-
-
-
AOL Instant Messenger
-
6.8
-
-
-
Adobe Creative Suite
-
2
-
-
-
Adobe Photoshop CS
-
8, 9
-
-
-
Adobe ImageReady CS
-
-
-
-
Apple iTunes
-
6, 7, 8
-
-
-
Apple QuickTime Player
-
5, 6, 7
-
-
-
Apple Safari
-
3.1.2
-
-
-
Google Chrome
-
beta
-
-
-
Google Picasa
-
3
-
-
-
Google Talk
-
beta
-
-
-
IBM Lotus 1-2-3
-
9
-
-
-
IBM Lotus Notes
-
6,7, 8
-
-
-
IBM Lotus Organizer
-
5
-
-
-
IBM Lotus WordPro
-
9.9
-
-
-
Intuit Quicken Deluxe
-
2009
-
-
-
Money Plus Business
-
2008
-
-
-
Money Plus Home
-
2008
-
-
-
Mozilla Firefox
-
3
-
-
-
Microsoft Office
-
2003, 2007, 2010
-
-
-
Microsoft Office Access®
-
2003, 2007, 2010
-
-
-
Microsoft Office Excel®
-
2003, 2007, 2010
-
-
-
Microsoft Office FrontPage®
-
2003, 2007, 2010
-
-
-
Microsoft Office OneNote®
-
2003, 2007, 2010
-
-
-
Microsoft Office Outlook®
-
2003, 2007, 2010
-
-
-
Microsoft Office PowerPoint®
-
2003, 2007, 2010
-
-
-
Microsoft Office Publisher
-
2003, 2007, 2010
-
-
-
Microsoft Office Word
-
2003, 2007, 2010
-
-
-
Opera Software Opera
-
9.5
-
-
-
Microsoft Outlook Express
-
(only mailbox file)
-
-
-
Microsoft Project
-
2003, 2007
-
-
-
Microsoft Office Visio®
-
2003, 2007
-
-
-
RealPlayer Basic
-
11
-
-
-
Sage Peachtree
-
2009
-
-
-
Skype
-
3.8
-
-
-
Windows Live Mail
-
12, 14
-
-
-
Windows Live Messenger
-
8.5, 14
-
-
-
Windows Live MovieMaker
-
14
-
-
-
Windows Live Photo Gallery
-
12, 14
-
-
-
Windows Live Writer
-
12, 14
-
-
-
Windows Mail
-
(Windows 7 and 8)
-
-
-
Microsoft Works
-
9
-
-
-
Yahoo Messenger
-
9
-
-
-
Microsoft Zune™ Software
-
3
-
-
-
-
-
-
-## What USMT does not migrate
-
-
-The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
-
-### Application settings
-
-USMT does not migrate the following application settings:
-
-- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version.
-
-- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate.
-
-- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
-
-- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when:
-
- - You change the default installation location on 32-bit destination computers.
-
- - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”.
-
-### Operating-System settings
-
-USMT does not migrate the following operating-system settings.
-
-- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
-
-- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
-
-- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
-
-- Customized icons for shortcuts may not migrate.
-
-- Taskbar settings, when the source computer is running Windows XP.
-
-You should also note the following:
-
-- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**.
-
-- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-### Start menu layout
-
-Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
-
-## Related topics
-
-
-[Plan your migration](usmt-plan-your-migration.md)
-
-
-
-
-
-
-
-
-
+---
+title: What does USMT migrate (Windows 10)
+description: Learn how User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language.
+ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 09/12/2017
+ms.topic: article
+---
+
+# What does USMT migrate?
+
+
+## In this topic
+
+
+- [Default migration scripts](#bkmk-defaultmigscripts)
+
+- [User Data](#bkmk-3)
+
+- [Operating-system components](#bkmk-4)
+
+- [Supported applications](#bkmk-2)
+
+- [What USMT does not migrate](#no)
+
+## Default migration scripts
+
+
+The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
+
+- **MigApp.XML.** Rules to migrate application settings.
+
+- **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.
+
+- **MigUser.XML.** Rules to migrate user profiles and user data.
+
+ MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration.
+
+ The following data does not migrate with MigUser.xml:
+
+ - Files outside the user profile that don’t match one of the file extensions in MigUser.xml.
+
+ - Access control lists (ACLs) for folders outside the user profile.
+
+## User data
+
+
+This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs.
+
+- **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following:
+
+ My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
+
+ >[!IMPORTANT]
+ >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
+
+- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
+
+ - Shared Documents
+
+ - Shared Video
+
+ - Shared Music
+
+ - Shared desktop files
+
+ - Shared Pictures
+
+ - Shared Start menu
+
+ - Shared Favorites
+
+- **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects and then migrates files with any of the following file extensions:
+
+ **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.**
+
+ **Note**
+ The asterisk (\*) stands for zero or more characters.
+
+
+
+- **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration.
+
+**Important**
+To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`.
+
+
+
+## Operating-system components
+
+
+USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
+
+The following components are migrated by default using the manifest files:
+
+- Accessibility settings
+
+- Address book
+
+- Command-prompt settings
+
+- \*Desktop wallpaper
+
+- EFS files
+
+- Favorites
+
+- Folder options
+
+- Fonts
+
+- Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then clicking **Manage**. When running an offline migration, the use of a **<ProfileControl>** section in the Config.xml file is required.
+
+- \*Windows Internet Explorer® settings
+
+- Microsoft® Open Database Connectivity (ODBC) settings
+
+- Mouse and keyboard settings
+
+- Network drive mapping
+
+- \*Network printer mapping
+
+- \*Offline files
+
+- \*Phone and modem options
+
+- RAS connection and phone book (.pbk) files
+
+- \*Regional settings
+
+- Remote Access
+
+- \*Taskbar settings
+
+- User personal certificates (all)
+
+- Windows Mail.
+
+- \*Windows Media Player
+
+- Windows Rights Management
+
+\* These settings are not available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
+
+**Important**
+This list may not be complete. There may be additional components that are migrated.
+
+
+
+**Note**
+Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
+
+
+
+## Supported applications
+
+
+Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
+
+**Note**
+The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office.
+
+
+
+**Note**
+USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate.
+
+
+
+When you specify the MigApp.xml file, USMT migrates the settings for the following applications:
+
+
+
+
+
+
+
+
+
Product
+
Version
+
+
+
+
+
Adobe Acrobat Reader
+
9
+
+
+
AOL Instant Messenger
+
6.8
+
+
+
Adobe Creative Suite
+
2
+
+
+
Adobe Photoshop CS
+
8, 9
+
+
+
Adobe ImageReady CS
+
+
+
+
Apple iTunes
+
6, 7, 8
+
+
+
Apple QuickTime Player
+
5, 6, 7
+
+
+
Apple Safari
+
3.1.2
+
+
+
Google Chrome
+
beta
+
+
+
Google Picasa
+
3
+
+
+
Google Talk
+
beta
+
+
+
IBM Lotus 1-2-3
+
9
+
+
+
IBM Lotus Notes
+
6,7, 8
+
+
+
IBM Lotus Organizer
+
5
+
+
+
IBM Lotus WordPro
+
9.9
+
+
+
Intuit Quicken Deluxe
+
2009
+
+
+
Money Plus Business
+
2008
+
+
+
Money Plus Home
+
2008
+
+
+
Mozilla Firefox
+
3
+
+
+
Microsoft Office
+
2003, 2007, 2010
+
+
+
Microsoft Office Access®
+
2003, 2007, 2010
+
+
+
Microsoft Office Excel®
+
2003, 2007, 2010
+
+
+
Microsoft Office FrontPage®
+
2003, 2007, 2010
+
+
+
Microsoft Office OneNote®
+
2003, 2007, 2010
+
+
+
Microsoft Office Outlook®
+
2003, 2007, 2010
+
+
+
Microsoft Office PowerPoint®
+
2003, 2007, 2010
+
+
+
Microsoft Office Publisher
+
2003, 2007, 2010
+
+
+
Microsoft Office Word
+
2003, 2007, 2010
+
+
+
Opera Software Opera
+
9.5
+
+
+
Microsoft Outlook Express
+
(only mailbox file)
+
+
+
Microsoft Project
+
2003, 2007
+
+
+
Microsoft Office Visio®
+
2003, 2007
+
+
+
RealPlayer Basic
+
11
+
+
+
Sage Peachtree
+
2009
+
+
+
Skype
+
3.8
+
+
+
Windows Live Mail
+
12, 14
+
+
+
Windows Live Messenger
+
8.5, 14
+
+
+
Windows Live MovieMaker
+
14
+
+
+
Windows Live Photo Gallery
+
12, 14
+
+
+
Windows Live Writer
+
12, 14
+
+
+
Windows Mail
+
(Windows 7 and 8)
+
+
+
Microsoft Works
+
9
+
+
+
Yahoo Messenger
+
9
+
+
+
Microsoft Zune™ Software
+
3
+
+
+
+
+
+
+## What USMT does not migrate
+
+
+The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
+
+### Application settings
+
+USMT does not migrate the following application settings:
+
+- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version.
+
+- Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate.
+
+- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
+
+- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application will not start. You may encounter problems when:
+
+ - You change the default installation location on 32-bit destination computers.
+
+ - You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”.
+
+### Operating-System settings
+
+USMT does not migrate the following operating-system settings.
+
+- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
+
+- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
+
+- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
+
+- Customized icons for shortcuts may not migrate.
+
+- Taskbar settings, when the source computer is running Windows XP.
+
+You should also note the following:
+
+- You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as administrator**.
+
+- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
+
+### Start menu layout
+
+Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
+
+## Related topics
+
+
+[Plan your migration](usmt-plan-your-migration.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index bfbd4e2c61..c05b8c1535 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -1,6 +1,6 @@
---
title: XML Elements Library (Windows 10)
-description: XML Elements Library
+description: Learn about the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT).
ms.assetid: f5af0f6d-c3bf-4a4c-a0ca-9db7985f954f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index ba0467192f..ec943180e6 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -1,6 +1,6 @@
---
title: USMT XML Reference (Windows 10)
-description: Work with and customize the migration XML files using USMT XML Reference for Windows 10.
+description: Learn about working with and customizing the migration XML files using User State Migration Tool (USMT) XML Reference for Windows 10.
ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index aeae8b54ae..f5afeaa069 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -1,6 +1,6 @@
---
title: XML File Requirements (Windows 10)
-description: XML File Requirements
+description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration urlid.
ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 62a9dc2999..5b4f53e98a 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -3,8 +3,9 @@ title: Configure VDA for Windows 10 Subscription Activation
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
-description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
+description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,7 +13,6 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro
-author: greg-lindsay
ms.topic: article
ms.collection: M365-modern-desktop
---
diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
index cd12f07346..5e20b62132 100644
--- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
@@ -1,6 +1,6 @@
---
title: Activate by Proxy an Active Directory Forest (Windows 10)
-description: Activate by Proxy an Active Directory Forest
+description: Learn how to use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest.
ms.assetid: 6475fc87-a6f7-4fa8-b0aa-de19f2dea7e5
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md
index 06362064ff..007c3a0ae3 100644
--- a/windows/deployment/volume-activation/activate-forest-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-vamt.md
@@ -1,50 +1,51 @@
----
-title: Activate an Active Directory Forest Online (Windows 10)
-description: Activate an Active Directory Forest Online
-ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Activate an Active Directory Forest Online
-
-You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
-
-**Important**
-ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
-
-## Requirements
-
-Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
-- VAMT is installed on a host computer that has Internet access.
-- VAMT has administrative permissions to the Active Directory domain.
-- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
-
-**To perform an online Active Directory forest activation**
-
-1. Open VAMT.
-2. In the left-side pane, click the **Active Directory-Based Activation** node.
-3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box.
-4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
-5. If required, enter a new Active Directory-Based Activation Object name
-
- **Important**
- If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
-
-6. Click **Install Key**.
-7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
-
-The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
-
-## Related topics
-
-- [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
-- [Add and Remove Computers](add-remove-computers-vamt.md)
+---
+title: Activate an Active Directory Forest Online (Windows 10)
+description: Use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest online.
+ms.assetid: 9b5bc193-799b-4aa5-9d3e-0e495f7195d3
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Activate an Active Directory Forest Online
+
+You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
+
+**Important**
+ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
+
+## Requirements
+
+Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
+- VAMT is installed on a host computer that has Internet access.
+- VAMT has administrative permissions to the Active Directory domain.
+- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
+
+**To perform an online Active Directory forest activation**
+
+1. Open VAMT.
+2. In the left-side pane, click the **Active Directory-Based Activation** node.
+3. In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box.
+4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
+5. If required, enter a new Active Directory-Based Activation Object name
+
+ **Important**
+ If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
+
+6. Click **Install Key**.
+7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
+
+The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
+
+## Related topics
+
+- [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
+- [Add and Remove Computers](add-remove-computers-vamt.md)
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index f2d59868c4..68924c83f3 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -4,7 +4,7 @@ ms.assetid: f2417bfe-7d25-4e82-bc07-de316caa8dac
ms.reviewer:
manager: laurawi
ms.author: greglin
-description:
+description: How to activate using Key Management Service in Windows 10.
keywords: vamt, volume activation, activation, windows activation
ms.prod: w10
ms.mktglfcycl: deploy
@@ -45,14 +45,16 @@ Installing a KMS host key on a computer running Windows 10 allows you to activa
Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft’s activation services.
-**Configure KMS in Windows 10**
+**Configure KMS in Windows 10**
-To activate by using the telephone, use the slmgr.vbs script.
-
-1. Run **slmgr.vbs /dti** and confirm the installation ID.
-2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
-3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
-4. Run **slmgr.vbs /atp \**.
+To activate , use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
+- To install the KMS key, type `slmgr.vbs /ipk `.
+- To activate online, type `slmgr.vbs /ato`.
+- To activate by telephone , follow these steps:
+ 1. Run `slmgr.vbs /dti` and confirm the installation ID.
+ 2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
+ 3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
+ 4. Run `slmgr.vbs /atp \`.
For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032).
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index 0664a272c5..b88d65def4 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -1,127 +1,128 @@
----
-title: Activate clients running Windows 10 (Windows 10)
-description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
-ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Activate clients running Windows 10
-
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
-Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
-If activation or reactivation is required, the following sequence occurs:
-1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
-2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK.
-3. The computer tries to activate against Microsoft servers if it is configured with a MAK.
-
-If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
-
-## How Key Management Service works
-
-KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
-
-### Key Management Service activation thresholds
-
-You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
-
-A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
-When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met.
-
-In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
-
-### Activation count cache
-
-To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
-However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
-The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
-
-### Key Management Service connectivity
-
-KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
-
-### Key Management Service activation renewal
-
-KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
-
-### Publication of the Key Management Service
-
-The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
-
-### Client discovery of the Key Management Service
-
-By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
-Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
-If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
-By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
-
-### Domain Name System server configuration
-
-The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
-The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
-
-### Activating the first Key Management Service host
-
-KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
-
-### Activating subsequent Key Management Service hosts
-
-Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
-
-## How Multiple Activation Key works
-
-A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
-
-You can activate computers by using a MAK in two ways:
-- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
-
- 
-
- **Figure 16**. MAK independent activation
-- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
-
- 
-
- **Figure 17**. MAK proxy activation with the VAMT
-
-A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold.
-
-You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
-
-### Multiple Activation Key architecture and activation
-
-MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
-In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
-
-## Activating as a standard user
-
-Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
-
-## See also
-
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-
-
+---
+title: Activate clients running Windows 10 (Windows 10)
+description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
+ms.assetid: 39446e49-ad7c-48dc-9f18-f85a11ded643
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Activate clients running Windows 10
+
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
+Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
+If activation or reactivation is required, the following sequence occurs:
+1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
+2. If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK.
+3. The computer tries to activate against Microsoft servers if it is configured with a MAK.
+
+If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
+
+## How Key Management Service works
+
+KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
+
+### Key Management Service activation thresholds
+
+You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
+
+A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
+When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met.
+
+In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
+
+### Activation count cache
+
+To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
+However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
+The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
+
+### Key Management Service connectivity
+
+KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
+
+### Key Management Service activation renewal
+
+KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
+
+### Publication of the Key Management Service
+
+The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
+
+### Client discovery of the Key Management Service
+
+By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
+Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
+If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
+By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
+
+### Domain Name System server configuration
+
+The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
+The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
+
+### Activating the first Key Management Service host
+
+KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
+
+### Activating subsequent Key Management Service hosts
+
+Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
+
+## How Multiple Activation Key works
+
+A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
+
+You can activate computers by using a MAK in two ways:
+- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
+
+ 
+
+ **Figure 16**. MAK independent activation
+- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
+
+ 
+
+ **Figure 17**. MAK proxy activation with the VAMT
+
+A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold.
+
+You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
+
+### Multiple Activation Key architecture and activation
+
+MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
+In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
+
+## Activating as a standard user
+
+Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
+
+## See also
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+
diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md
index bc02aaba30..fe607d6482 100644
--- a/windows/deployment/volume-activation/add-manage-products-vamt.md
+++ b/windows/deployment/volume-activation/add-manage-products-vamt.md
@@ -1,6 +1,6 @@
---
title: Add and Manage Products (Windows 10)
-description: Add and manage computers with the Volume Activation Management Tool (VAMT).
+description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network.
ms.assetid: a48fbc23-917d-40f7-985c-e49702c05e51
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
index fc7b9b051d..dc8aedf5f2 100644
--- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
@@ -1,39 +1,40 @@
----
-title: Add and Remove a Product Key (Windows 10)
-description: Add and Remove a Product Key
-ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Add and Remove a Product Key
-
-Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
-
-## To Add a Product Key
-
-1. Open VAMT.
-2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
-3. Click **Add product keys** to open the **Add Product Keys** dialog box.
-4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
- - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**.
- - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
-
- **Note**
- If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
-
-## Remove a Product Key
-
-- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
-
-## Related topics
-
-- [Manage Product Keys](manage-product-keys-vamt.md)
+---
+title: Add and Remove a Product Key (Windows 10)
+description: Add a product key to the Volume Activation Management Tool (VAMT) database. Also, learn how to remove the key from the database.
+ms.assetid: feac32bb-fb96-4802-81b8-c69220dcfcce
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Add and Remove a Product Key
+
+Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
+
+## To Add a Product Key
+
+1. Open VAMT.
+2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
+3. Click **Add product keys** to open the **Add Product Keys** dialog box.
+4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
+ - To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**.
+ - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+
+ **Note**
+ If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
+
+## Remove a Product Key
+
+- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
+
+## Related topics
+
+- [Manage Product Keys](manage-product-keys-vamt.md)
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index d56ff58a30..19d405b786 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -1,71 +1,72 @@
----
-title: Appendix Information sent to Microsoft during activation (Windows 10)
-ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description:
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Appendix: Information sent to Microsoft during activation
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-When you activate a computer running Windows 10, the following information is sent to Microsoft:
-
-- The Microsoft product code (a five-digit code that identifies the Windows product you are activating)
-- A channel ID or site code that identifies how the Windows product was originally obtained
-
- For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
-
-- The date of installation and whether the installation was successful
-- Information that helps confirm that your Windows product key has not been altered
-- Computer make and model
-- Version information for the operating system and software
-- Region and language settings
-- A unique number called a *globally unique identifier*, which is assigned to your computer
-- Product key (hashed) and product ID
-- BIOS name, revision number, and revision date
-- Volume serial number (hashed) of the hard disk drive
-- The result of the activation check
-
- This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
-
- - The activation exploit’s identifier
- - The activation exploit’s current state, such as cleaned or quarantined
- - Computer manufacturer’s identification
- - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
-- The name and a hash of the contents of your computer’s startup instructions file
-- If your Windows license is on a subscription basis, information about how your subscription works
-
-Standard computer information is also sent, but your computer’s IP address is only retained temporarily.
-
-## Use of information
-
-Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers.
-For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
-
-## See also
-
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-
-
+---
+title: Appendix Information sent to Microsoft during activation (Windows 10)
+ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description:
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Appendix: Information sent to Microsoft during activation
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+When you activate a computer running Windows 10, the following information is sent to Microsoft:
+
+- The Microsoft product code (a five-digit code that identifies the Windows product you are activating)
+- A channel ID or site code that identifies how the Windows product was originally obtained
+
+ For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
+
+- The date of installation and whether the installation was successful
+- Information that helps confirm that your Windows product key has not been altered
+- Computer make and model
+- Version information for the operating system and software
+- Region and language settings
+- A unique number called a *globally unique identifier*, which is assigned to your computer
+- Product key (hashed) and product ID
+- BIOS name, revision number, and revision date
+- Volume serial number (hashed) of the hard disk drive
+- The result of the activation check
+
+ This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
+
+ - The activation exploit’s identifier
+ - The activation exploit’s current state, such as cleaned or quarantined
+ - Computer manufacturer’s identification
+ - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
+- The name and a hash of the contents of your computer’s startup instructions file
+- If your Windows license is on a subscription basis, information about how your subscription works
+
+Standard computer information is also sent, but your computer’s IP address is only retained temporarily.
+
+## Use of information
+
+Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers.
+For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
+
+## See also
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 08cca37792..f4e102124a 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -1,6 +1,6 @@
---
title: Configure Client Computers (Windows 10)
-description: Configure Client Computers
+description: Learn how to configure client computers to enable the Volume Activation Management Tool (VAMT) to function correctly.
ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index 5b77d96564..502813e80e 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -1,51 +1,52 @@
----
-title: Import and Export VAMT Data (Windows 10)
-description: Import and Export VAMT Data
-ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Import and Export VAMT Data
-
-You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data.
-You can import data or export data during the following scenarios:
-- Import and merge data from previous versions of VAMT.
-- Export data to use to perform proxy activations.
-
-**Warning**
-Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported.
-
-## Import VAMT Data
-
-**To import data into VAMT**
-1. Open VAMT.
-2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
-3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**.
-4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully.
-
-## Export VAMT Data
-
-Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file:
-1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products.
-2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export.
-3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box.
-4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file.
-5. Under **Export options**, select one of the following data-type options:
- - Export products and product keys
- - Export products only
- - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked.
-6. If you have selected products to export, select the **Export selected product rows only** check box.
-7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
-
-## Related topics
-
-- [Perform Proxy Activation](proxy-activation-vamt.md)
+---
+title: Import and Export VAMT Data (Windows 10)
+description: Learn how to use the Volume Activation Management Tool (VAMT) to import product-activation data from a .cilx or .cil file into SQL Server.
+ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Import and Export VAMT Data
+
+You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data.
+You can import data or export data during the following scenarios:
+- Import and merge data from previous versions of VAMT.
+- Export data to use to perform proxy activations.
+
+**Warning**
+Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported.
+
+## Import VAMT Data
+
+**To import data into VAMT**
+1. Open VAMT.
+2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
+3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**.
+4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully.
+
+## Export VAMT Data
+
+Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file:
+1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products.
+2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export.
+3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box.
+4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file.
+5. Under **Export options**, select one of the following data-type options:
+ - Export products and product keys
+ - Export products only
+ - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked.
+6. If you have selected products to export, select the **Export selected product rows only** check box.
+7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
+
+## Related topics
+
+- [Perform Proxy Activation](proxy-activation-vamt.md)
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index dc1c9eaa35..f4cff8a4da 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -1,34 +1,35 @@
----
-title: Install and Configure VAMT (Windows 10)
-description: Install and Configure VAMT
-ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Install and Configure VAMT
-
-This section describes how to install and configure the Volume Activation Management Tool (VAMT).
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
-|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
-|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
-
-## Related topics
-
-- [Introduction to VAMT](introduction-vamt.md)
-
-
+---
+title: Install and Configure VAMT (Windows 10)
+description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process.
+ms.assetid: 5c7ae9b9-0dbc-4277-bc4f-8b3e4ab0bf50
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Install and Configure VAMT
+
+This section describes how to install and configure the Volume Activation Management Tool (VAMT).
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
+|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
+|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
+
+## Related topics
+
+- [Introduction to VAMT](introduction-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index 3fe43074c1..c0458d4963 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -1,43 +1,44 @@
----
-title: Install a KMS Client Key (Windows 10)
-description: Install a KMS Client Key
-ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Install a KMS Client Key
-
-You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
-
-**Note**
-By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
-
-**To install a KMS Client key**
-1. Open VAMT.
-2. In the left-side pane click **Products** to open the product list view in the center pane.
-3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5. Click **Filter**. VAMT displays the filtered list in the center pane.
-6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-7. The **Install Product Key** dialog box displays the keys that are available to be installed.
-8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
-
- VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
-
-## Related topics
-
-- [Perform KMS Activation](kms-activation-vamt.md)
+---
+title: Install a KMS Client Key (Windows 10)
+description: Learn to use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys.
+ms.assetid: d234468e-7917-4cf5-b0a8-4968454f7759
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Install a KMS Client Key
+
+You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
+
+**Note**
+By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
+
+**To install a KMS Client key**
+1. Open VAMT.
+2. In the left-side pane click **Products** to open the product list view in the center pane.
+3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+5. Click **Filter**. VAMT displays the filtered list in the center pane.
+6. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+7. The **Install Product Key** dialog box displays the keys that are available to be installed.
+8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
+
+ VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
+
+## Related topics
+
+- [Perform KMS Activation](kms-activation-vamt.md)
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 96908f97d1..d83feb6226 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -1,45 +1,46 @@
----
-title: Install a Product Key (Windows 10)
-description: Install a Product Key
-ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Install a Product Key
-
-You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
-
-**To install a Product key**
-1. Open VAMT.
-2. In the left-side pane, click the product that you want to install keys onto.
-3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5. Click **Filter**.
-6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time.
-9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
-
- **Note**
- Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right
- Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382).
-
-## Related topics
-
-- [Manage Product Keys](manage-product-keys-vamt.md)
-
-
+---
+title: Install a Product Key (Windows 10)
+description: Learn to use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
+ms.assetid: 78812c87-2208-4f8b-9c2c-5a8a18b2d648
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Install a Product Key
+
+You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
+
+**To install a Product key**
+1. Open VAMT.
+2. In the left-side pane, click the product that you want to install keys onto.
+3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+5. Click **Filter**.
+6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+7. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time.
+9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
+
+ **Note**
+ Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right
+ Volume License Key for Windows](https://go.microsoft.com/fwlink/p/?linkid=238382).
+
+## Related topics
+
+- [Manage Product Keys](manage-product-keys-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 27951497ec..6b18acd8ae 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -1,6 +1,6 @@
---
title: Install VAMT (Windows 10)
-description: Install VAMT
+description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
ms.assetid: 2eabd3e2-0a68-43a5-8189-2947e46482fc
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 791d49e497..5152af65fe 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -1,66 +1,67 @@
----
-title: Introduction to VAMT (Windows 10)
-description: Introduction to VAMT
-ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Introduction to VAMT
-
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
-
-**Note**
-VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
-
-## In this Topic
-- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
-- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
-- [Enterprise Environment](#bkmk-enterpriseenvironment)
-- [VAMT User Interface](#bkmk-userinterface)
-
-## Managing Multiple Activation Key (MAK) and Retail Activation
-
-You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
-- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
-
-## Managing Key Management Service (KMS) Activation
-
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
-VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
-
-## Enterprise Environment
-
-VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
-
-
-
-In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
-The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
-
-## VAMT User Interface
-
-The following screenshot shows the VAMT graphical user interface.
-
-
-
-VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
-- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
-- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
-- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
-- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
-- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
-
-## Related topics
-- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
+---
+title: Introduction to VAMT (Windows 10)
+description: VAMT enables administrators to automate and centrally manage the Windows, Microsoft Office, and select other Microsoft products volume and retail activation process.
+ms.assetid: 0439685e-0bae-4967-b0d4-dd84ca6d7fa7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Introduction to VAMT
+
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
+
+**Note**
+VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+
+## In this Topic
+- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
+- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
+- [Enterprise Environment](#bkmk-enterpriseenvironment)
+- [VAMT User Interface](#bkmk-userinterface)
+
+## Managing Multiple Activation Key (MAK) and Retail Activation
+
+You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
+- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+
+## Managing Key Management Service (KMS) Activation
+
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
+VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
+
+## Enterprise Environment
+
+VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
+
+
+
+In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
+The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
+
+## VAMT User Interface
+
+The following screenshot shows the VAMT graphical user interface.
+
+
+
+VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
+- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
+- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
+- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+
+## Related topics
+- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index 318cd0cb65..e1e2f2151e 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -1,33 +1,34 @@
----
-title: Manage Activations (Windows 10)
-description: Manage Activations
-ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Manage Activations
-
-This section describes how to activate a client computer, by using a variety of activation methods.
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
-|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. |
-|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). |
-|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
-|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. |
-|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. |
-
-
-
+---
+title: Manage Activations (Windows 10)
+description: Learn how to manage activations and how to activate a client computer by using a variety of activation methods.
+ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Manage Activations
+
+This section describes how to activate a client computer, by using a variety of activation methods.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
+|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. |
+|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). |
+|[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
+|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. |
+|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. |
+
+
+
diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md
index bedd50af8f..1eb0380671 100644
--- a/windows/deployment/volume-activation/manage-product-keys-vamt.md
+++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md
@@ -1,29 +1,30 @@
----
-title: Manage Product Keys (Windows 10)
-description: Manage Product Keys
-ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Manage Product Keys
-
-This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
-|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
-|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |
-
-
-
+---
+title: Manage Product Keys (Windows 10)
+description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT).
+ms.assetid: 4c6c4216-b4b7-437c-904e-4cb257f913cd
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Manage Product Keys
+
+This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
+|[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
+|[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |
+
+
+
diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md
index 7d068975cd..6f2f8b2dd0 100644
--- a/windows/deployment/volume-activation/manage-vamt-data.md
+++ b/windows/deployment/volume-activation/manage-vamt-data.md
@@ -1,25 +1,26 @@
----
-title: Manage VAMT Data (Windows 10)
-description: Manage VAMT Data
-ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Manage VAMT Data
-
-This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
-
-## In this Section
-|Topic |Description |
-|------|------------|
-|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
-|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |
+---
+title: Manage VAMT Data (Windows 10)
+description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
+ms.assetid: 233eefa4-3125-4965-a12d-297a67079dc4
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Manage VAMT Data
+
+This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
+
+## In this Section
+|Topic |Description |
+|------|------------|
+|[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
+|[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index ea131b996d..143855e843 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -1,44 +1,45 @@
----
-title: Monitor activation (Windows 10)
-ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description:
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# Monitor activation
-
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
-- Using the Volume Licensing Service Center website to track use of MAK keys.
-- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).)
-- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
-- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
-- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
-- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
-- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
-
-## See also
-
-[Volume Activation for Windows 10](volume-activation-windows-10.md)
+---
+title: Monitor activation (Windows 10)
+ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description:
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# Monitor activation
+
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
+- Using the Volume Licensing Service Center website to track use of MAK keys.
+- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).)
+- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
+- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
+- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
+- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
+- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
+
+## See also
+
+[Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md
index 45f237024f..96d0e8abdd 100644
--- a/windows/deployment/volume-activation/online-activation-vamt.md
+++ b/windows/deployment/volume-activation/online-activation-vamt.md
@@ -1,55 +1,56 @@
----
-title: Perform Online Activation (Windows 10)
-description: Perform Online Activation
-ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Perform Online Activation
-
-You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
-
-## Requirements
-
-Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
-- VAMT is installed on a central computer that has network access to all client computers.
-- Both the VAMT host and client computers have Internet access.
-- The products that you want to activate are added to VAMT.
-- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
-
-The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking
-**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
-
-## To Perform an Online Activation
-
-**To perform an online activation**
-1. Open VAMT.
-2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-4. Click **Filter**. VAMT displays the filtered list in the center pane.
-5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
-7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
- The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
-
- **Note**
- Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
-
- **Note**
- You can use online activation to select products that have different key types and activate the products at the same time.
-
-## Related topics
-- [Manage Activations](manage-activations-vamt.md)
+---
+title: Perform Online Activation (Windows 10)
+description: Learn how to use the Volume Activation Management Tool (VAMT) to enable client products to be activated online.
+ms.assetid: 8381792b-a454-4e66-9b4c-e6e4c9303823
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Perform Online Activation
+
+You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
+
+## Requirements
+
+Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
+- VAMT is installed on a central computer that has network access to all client computers.
+- Both the VAMT host and client computers have Internet access.
+- The products that you want to activate are added to VAMT.
+- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking
+**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
+
+## To Perform an Online Activation
+
+**To perform an online activation**
+1. Open VAMT.
+2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+4. Click **Filter**. VAMT displays the filtered list in the center pane.
+5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+6. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
+7. Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+ The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
+
+ **Note**
+ Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
+
+ **Note**
+ You can use online activation to select products that have different key types and activate the products at the same time.
+
+## Related topics
+- [Manage Activations](manage-activations-vamt.md)
diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md
index 65dd923d7e..ce8b8c1e39 100644
--- a/windows/deployment/volume-activation/remove-products-vamt.md
+++ b/windows/deployment/volume-activation/remove-products-vamt.md
@@ -1,35 +1,36 @@
----
-title: Remove Products (Windows 10)
-description: Remove Products
-ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Remove Products
-
-To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
-
-**To delete one or more products**
-1. Click a product node in the left-side pane.
-2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-4. Click **Filter**. VAMT displays the filtered list in the center pane.
-5. Select the products you want to delete.
-6. Click **Delete** in the **Selected Items** menu in the right-side pane.
-7. On the **Confirm Delete Selected Products** dialog box, click **OK**.
-
-## Related topics
-- [Add and Manage Products](add-manage-products-vamt.md)
-
-
+---
+title: Remove Products (Windows 10)
+description: Learn how you must delete products from the product list view so you can remove products from the Volume Activation Management Tool (VAMT).
+ms.assetid: 4d44379e-dda1-4a8f-8ebf-395b6c0dad8e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Remove Products
+
+To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
+
+**To delete one or more products**
+1. Click a product node in the left-side pane.
+2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+4. Click **Filter**. VAMT displays the filtered list in the center pane.
+5. Select the products you want to delete.
+6. Click **Delete** in the **Selected Items** menu in the right-side pane.
+7. On the **Confirm Delete Selected Products** dialog box, click **OK**.
+
+## Related topics
+- [Add and Manage Products](add-manage-products-vamt.md)
+
+
diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
index 34263037b3..400b2ad2e1 100644
--- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
@@ -1,48 +1,49 @@
----
-title: Scenario 3 KMS Client Activation (Windows 10)
-description: Scenario 3 KMS Client Activation
-ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Scenario 3: KMS Client Activation
-
-In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
-
-The procedure that is described below assumes the following:
-- The KMS Service is enabled and available to all KMS clients.
-- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
-
-## Activate KMS Clients
-
-1. Open VAMT.
-2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
-3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
- - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
- - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
- - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
-4. In the left-side pane, in the **Products** node, click the product that you want to activate.
-5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
- - To filter the list by computer name, enter a name in the **Computer Name** box.
- - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-7. Click **Filter**. VAMT displays the filtered list in the center pane.
-8. Select the products that you want to activate.
-9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-
-The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
-
-## Related topics
-- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
-
-
+---
+title: Scenario 3 KMS Client Activation (Windows 10)
+description: Learn how to use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs).
+ms.assetid: 72b04e8f-cd35-490c-91ab-27ea799b05d0
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Scenario 3: KMS Client Activation
+
+In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
+
+The procedure that is described below assumes the following:
+- The KMS Service is enabled and available to all KMS clients.
+- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
+
+## Activate KMS Clients
+
+1. Open VAMT.
+2. To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
+3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
+ - **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
+ - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
+ - **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
+4. In the left-side pane, in the **Products** node, click the product that you want to activate.
+5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+ - To filter the list by computer name, enter a name in the **Computer Name** box.
+ - To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
+7. Click **Filter**. VAMT displays the filtered list in the center pane.
+8. Select the products that you want to activate.
+9. Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+
+The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
+
+## Related topics
+- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+
+
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 3c52c27790..f46556cdae 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -1,6 +1,6 @@
---
title: Scenario 2 Proxy Activation (Windows 10)
-description: Scenario 2 Proxy Activation
+description: Use the Volume Activation Management Tool (VAMT) to activate products that are installed on workgroup computers in an isolated lab environment.
ms.assetid: ed5a8a56-d9aa-4895-918f-dd1898cb2c1a
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md
index 038839adb4..1e3cd0e815 100644
--- a/windows/deployment/volume-activation/update-product-status-vamt.md
+++ b/windows/deployment/volume-activation/update-product-status-vamt.md
@@ -1,38 +1,39 @@
----
-title: Update Product Status (Windows 10)
-description: Update Product Status
-ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Update Product Status
-
-After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
-To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
-
-**Note**
-The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
-
-## Update the license status of a product
-
-1. Open VAMT.
-2. In the **Products** list, select one or more products that need to have their status updated.
-3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer.
-4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
-
- VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
-
- **Note**
- If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
-
-## Related topics
-- [Add and Manage Products](add-manage-products-vamt.md)
+---
+title: Update Product Status (Windows 10)
+description: Learn how to use the Update license status function to add the products that are installed on the computers.
+ms.assetid: 39d4abd4-801a-4e8f-9b8c-425a24a96764
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Update Product Status
+
+After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
+To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+**Note**
+The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
+
+## Update the license status of a product
+
+1. Open VAMT.
+2. In the **Products** list, select one or more products that need to have their status updated.
+3. In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer.
+4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
+
+ VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
+
+ **Note**
+ If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
+
+## Related topics
+- [Add and Manage Products](add-manage-products-vamt.md)
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index 092f297bb9..7389bcd273 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -1,6 +1,6 @@
---
title: Use VAMT in Windows PowerShell (Windows 10)
-description: Use VAMT in Windows PowerShell
+description: Learn how to use Volume Activation Management Tool (VAMT) PowerShell cmdlets to perform the same functions as the Vamt.exe command-line tool.
ms.assetid: 13e0ceec-d827-4681-a5c3-8704349e3ba9
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index e9c0da934f..2ee3dbbb3d 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -1,46 +1,47 @@
----
-title: VAMT Requirements (Windows 10)
-description: VAMT Requirements
-ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# VAMT Requirements
-
-This topic includes info about the product key and system requirements for VAMT.
-
-## Product Key Requirements
-
-The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
-
-|Product key type |Where to obtain |
-|-----------------|----------------|
-|
Multiple Activation Key (MAK)
Key Management Service (KMS) host key (CSVLK)
KMS client setup keys (GVLK)
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). |
-|Retail product keys |Obtained at time of product purchase. |
-
-## System Requirements
-
-The following table lists the system requirements for the VAMT host computer.
-
-| Item | Minimum system requirement |
-| ---- | ---------------------------|
-| Computer and Processor | 1 GHz x86 or x64 processor |
-| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 |
-| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 |
-| External Drive | Removable media (Optional) |
-| Display | 1024x768 or higher resolution monitor |
-| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
-| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
-| Additional Requirements |
Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
|
-
-## Related topics
-- [Install and Configure VAMT](install-configure-vamt.md)
+---
+title: VAMT Requirements (Windows 10)
+description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT).
+ms.assetid: d14d152b-ab8a-43cb-a8fd-2279364007b9
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# VAMT Requirements
+
+This topic includes info about the product key and system requirements for VAMT.
+
+## Product Key Requirements
+
+The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
+
+|Product key type |Where to obtain |
+|-----------------|----------------|
+|
Multiple Activation Key (MAK)
Key Management Service (KMS) host key (CSVLK)
KMS client setup keys (GVLK)
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). |
+|Retail product keys |Obtained at time of product purchase. |
+
+## System Requirements
+
+The following table lists the system requirements for the VAMT host computer.
+
+| Item | Minimum system requirement |
+| ---- | ---------------------------|
+| Computer and Processor | 1 GHz x86 or x64 processor |
+| Memory | 1 GB RAM for x86 or 2 GB RAM for x64 |
+| Hard Disk | 16 GB available hard disk space for x86 or 20 GB for x64 |
+| External Drive | Removable media (Optional) |
+| Display | 1024x768 or higher resolution monitor |
+| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
+| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
+| Additional Requirements |
Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).
PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](https://go.microsoft.com/fwlink/p/?LinkId=218356).
If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.
|
+
+## Related topics
+- [Install and Configure VAMT](install-configure-vamt.md)
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index ae1576bb5f..ef45dc1c96 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -1,32 +1,33 @@
----
-title: VAMT Step-by-Step Scenarios (Windows 10)
-description: VAMT Step-by-Step Scenarios
-ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# VAMT Step-by-Step Scenarios
-
-This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started.
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
-|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. |
-|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
-
-## Related topics
-- [Introduction to VAMT](introduction-vamt.md)
-
-
+---
+title: VAMT Step-by-Step Scenarios (Windows 10)
+description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
+ms.assetid: 455c542c-4860-4b57-a1f0-7e2d28e11a10
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# VAMT Step-by-Step Scenarios
+
+This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
+|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. |
+|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
+
+## Related topics
+- [Introduction to VAMT](introduction-vamt.md)
+
+
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 3ae808a4af..99b5479318 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -12,7 +12,6 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 80dc7ea0eb..61d5af710d 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -5,6 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
keywords: upgrade, in-place, configuration, deploy
ms.prod: w10
@@ -12,7 +13,6 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 31c2c53103..2321163bd1 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -1,21 +1,21 @@
---
title: Windows 10 deployment tools reference
-description: Learn about the tools available to deploy Windows 10.
+description: Learn about the tools available to deploy Windows 10, like Volume Activation Management Tool (VAMT) and User State Migration Tool (USMT).
ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.date: 07/12/2017
ms.topic: article
---
-# Windows 10 deployment tools
+# Windows 10 deployment tools reference
Learn about the tools available to deploy Windows 10.
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index a71caf0006..33f7b49f5e 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -5,12 +5,12 @@ ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.date: 10/16/2017
ms.topic: article
---
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index c36f0c2cdc..d362478ccc 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -13,7 +13,6 @@ manager: laurawi
ms.audience: itpro
author: greg-lindsay
audience: itpro
-author: greg-lindsay
ms.collection: M365-modern-desktop
ms.topic: article
---
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 24743735e8..38a56db227 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -9,10 +9,10 @@ ms.date: 10/20/2017
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md
index dfa95cf6e1..7f9f5e72ad 100644
--- a/windows/deployment/windows-10-missing-fonts.md
+++ b/windows/deployment/windows-10-missing-fonts.md
@@ -1,103 +1,104 @@
----
-title: How to install fonts missing after upgrading to Windows 10
-description: Some of the fonts are missing from the system after you upgrade to Windows 10.
-keywords: deploy, upgrade, FoD, optional feature
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
-ms.audience: itpro
author: greg-lindsay
-ms.date: 10/31/2017
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-# How to install fonts that are missing after upgrading to Windows 10
-
-> Applies to: Windows 10
-
-When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system.
-
-If you have documents created using the missing fonts, these documents might display differently on Windows 10.
-
-For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing:
-
-- Gautami
-- Meiryo
-- Narkism/Batang
-- BatangChe
-- Dotum
-- DotumChe
-- Gulim
-- GulimChe
-- Gungsuh
-- GungsuhChe
-
-If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases.
-
-## Installing language-associated features via language settings:
-
-If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app.
-
-For example, here are the steps to install the fonts associated with the Hebrew language:
-
-1. Click **Start > Settings**.
-2. In Settings, click **Time & language**, and then click **Region & language**.
-3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language.
-4. Find Hebrew, and then click it to add it to your language list.
-
-Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes.
-
-> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work.
-
-## Install optional fonts manually without changing language settings:
-
-If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.
-
-For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences:
-
-1. Click **Start > Settings**.
-2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**.
-
-3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature.
-4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**.
-
-> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
-
-## Fonts included in optional font features
-
-Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles.
-
-- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting
-- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda
-- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia
-- Cherokee Supplemental Fonts: Plantagenet Cherokee
-- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei
-- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU
-- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah
-- Ethiopic Supplemental Fonts: Nyala
-- Gujarati Supplemental Fonts: Shruti
-- Gurmukhi Supplemental Fonts: Raavi
-- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod
-- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho
-- Kannada Supplemental Fonts: Tunga
-- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran
-- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe
-- Lao Supplemental Fonts: DokChampa, Lao UI
-- Malayalam Supplemental Fonts: Karthika
-- Odia Supplemental Fonts: Kalinga
-- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro
-- Sinhala Supplemental Fonts: Iskoola Pota
-- Syriac Supplemental Fonts: Estrangelo Edessa
-- Tamil Supplemental Fonts: Latha, Vijaya
-- Telugu Supplemental Fonts: Gautami, Vani
-- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC
-
-## Related Topics
-
-[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx)
-
-[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics)
-
-[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
+---
+title: How to install fonts missing after upgrading to Windows 10
+description: Some of the fonts are missing from the system after you upgrade to Windows 10.
+keywords: deploy, upgrade, FoD, optional feature
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.audience: itpro
+ms.date: 10/31/2017
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+# How to install fonts that are missing after upgrading to Windows 10
+
+> Applies to: Windows 10
+
+When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system.
+
+If you have documents created using the missing fonts, these documents might display differently on Windows 10.
+
+For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing:
+
+- Gautami
+- Meiryo
+- Narkism/Batang
+- BatangChe
+- Dotum
+- DotumChe
+- Gulim
+- GulimChe
+- Gungsuh
+- GungsuhChe
+
+If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases.
+
+## Installing language-associated features via language settings:
+
+If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app.
+
+For example, here are the steps to install the fonts associated with the Hebrew language:
+
+1. Click **Start > Settings**.
+2. In Settings, click **Time & language**, and then click **Region & language**.
+3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language.
+4. Find Hebrew, and then click it to add it to your language list.
+
+Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes.
+
+> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work.
+
+## Install optional fonts manually without changing language settings:
+
+If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.
+
+For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences:
+
+1. Click **Start > Settings**.
+2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**.
+
+3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature.
+4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**.
+
+> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
+
+## Fonts included in optional font features
+
+Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles.
+
+- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting
+- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda
+- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia
+- Cherokee Supplemental Fonts: Plantagenet Cherokee
+- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei
+- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU
+- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah
+- Ethiopic Supplemental Fonts: Nyala
+- Gujarati Supplemental Fonts: Shruti
+- Gurmukhi Supplemental Fonts: Raavi
+- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod
+- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho
+- Kannada Supplemental Fonts: Tunga
+- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran
+- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe
+- Lao Supplemental Fonts: DokChampa, Lao UI
+- Malayalam Supplemental Fonts: Karthika
+- Odia Supplemental Fonts: Kalinga
+- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro
+- Sinhala Supplemental Fonts: Iskoola Pota
+- Syriac Supplemental Fonts: Estrangelo Edessa
+- Tamil Supplemental Fonts: Latha, Vijaya
+- Telugu Supplemental Fonts: Gautami, Vani
+- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC
+
+## Related Topics
+
+[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx)
+
+[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics)
+
+[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index a9ffbb1c73..c10e477cff 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -11,9 +11,9 @@ ms.date: 10/11/2017
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index ba8078e40c..1db27c1143 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -10,9 +10,9 @@ ms.localizationpriority: medium
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
audience: itpro
-author: greg-lindsay
ms.topic: article
---
@@ -20,19 +20,22 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides:
+
- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide.
The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
+
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
-This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
+
+>This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
@@ -42,41 +45,36 @@ This guide provides end-to-end instructions to install and configure Microsoft E
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-
-
Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.
Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT
90 minutes
-
-
-
-
+||||
+|--- |--- |--- |
+|Topic|Description|Time|
+|[Install prerequisites](#install-prerequisites)|Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.|60 minutes|
+|[Install Microsoft Endpoint Configuration Manager](#install-microsoft-endpoint-configuration-manager)|Download Microsoft Endpoint Configuration Manager, configure prerequisites, and install the package.|45 minutes|
+|[Download MDOP and install DaRT](#download-mdop-and-install-dart)|Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.|15 minutes|
+|[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)|Prerequisite procedures to support Zero Touch installation.|60 minutes|
+|[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)|Use the MDT wizard to create the boot image in Configuration Manager.|20 minutes|
+|[Create a Windows 10 reference image](#create-a-windows-10-reference-image)|This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.|0-60 minutes|
+|[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)|Add a Windows 10 operating system image and distribute it.|10 minutes|
+|[Create a task sequence](#create-a-task-sequence)|Create a Configuration Manager task sequence with MDT integration using the MDT wizard|15 minutes|
+|[Finalize the operating system configuration](#finalize-the-operating-system-configuration)|Enable monitoring, configure rules, and distribute content.|30 minutes|
+|[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)|Deploy Windows 10 using Configuration Manager deployment packages and task sequences.|60 minutes|
+|[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)|Replace a client computer with Windows 10 using Configuration Manager.|90 minutes|
+|[Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)|Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT|90 minutes|
## Install prerequisites
-1. Before installing Microsoft Endpoint Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
- ```
+1. Before installing Microsoft Endpoint Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```powershell
Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
```
>If the request to add features fails, retry the installation by typing the command again.
2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
-3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
- ```
+ ```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
```
@@ -84,30 +82,32 @@ Topics and procedures in this guide are summarized in the following table. An es
4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
- ```
+ ```powershell
D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
```
+
Installation will take several minutes. When installation is complete, the following output will be displayed:
- ```
+ ```dos
Microsoft (R) SQL Server 2014 12.00.5000.00
Copyright (c) Microsoft Corporation. All rights reserved.
-
+
Microsoft (R) .NET Framework CasPol 2.0.50727.7905
Copyright (c) Microsoft Corporation. All rights reserved.
-
+
Success
Microsoft (R) .NET Framework CasPol 2.0.50727.7905
Copyright (c) Microsoft Corporation. All rights reserved.
-
+
Success
One or more affected files have operations pending.
You should restart your computer to complete this process.
PS C:\>
```
+
5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow
New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow
New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow
@@ -115,13 +115,13 @@ Topics and procedures in this guide are summarized in the following table. An es
New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
```
-7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
+6. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://docs.microsoft.com/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 2004. Installation might require several minutes to acquire all components.
## Install Microsoft Endpoint Configuration Manager
1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
- ```
+ ```powershell
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
Stop-Process -Name Explorer
@@ -131,7 +131,7 @@ Topics and procedures in this guide are summarized in the following table. An es
3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
- ```
+ ```dos
Get-Service Winmgmt
Status Name DisplayName
@@ -153,19 +153,20 @@ Topics and procedures in this guide are summarized in the following table. An es
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : True
```
+
You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
- ```
+ ```powershell
cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
```
5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
- ```
+ ```dos
adsiedit.msc
```
@@ -182,9 +183,10 @@ Topics and procedures in this guide are summarized in the following table. An es
16. Close the ADSI Edit console and switch back to SRV1.
17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
```
+
18. Provide the following in the Microsoft Endpoint Configuration Manager Setup Wizard:
- **Before You Begin**: Read the text and click *Next*.
- **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
@@ -192,7 +194,7 @@ Topics and procedures in this guide are summarized in the following table. An es
- **Product Key**: Choose **Install the evaluation edition of this Product**.
- **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox.
- **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page.
- - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**.
+ - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**.
- **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**.
- use default settings for all other options
- **Usage Data**: Read the text and click **Next**.
@@ -202,37 +204,39 @@ Topics and procedures in this guide are summarized in the following table. An es
>There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment.
- Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete.
+ Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete.
19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
- ```
+ ```powershell
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
Stop-Process -Name Explorer
```
## Download MDOP and install DaRT
->[!IMPORTANT]
->This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
->If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/).
+> [!IMPORTANT]
+> This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
+> If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://docs.microsoft.com/archive/blogs/zainnab/bizspark-free-msdn-subscription-for-start-up-companies/).
1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
- ```
+ ```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
```
+
3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
```
+
4. Install DaRT 10 using default settings.
5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86"
```
@@ -245,7 +249,7 @@ This section contains several procedures to support Zero Touch installation with
1. Type the following commands at a Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
New-Item -ItemType Directory -Path "C:\Sources\OSD\OS"
New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
@@ -278,7 +282,7 @@ This section contains several procedures to support Zero Touch installation with
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
4. Click the yellow starburst and then click **New Account**.
5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
-6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice.
+6. Next to **Password** and **Confirm Password**, type **pass@word1**, and then click **OK** twice.
### Configure a boundary group
@@ -300,19 +304,20 @@ This section contains several procedures to support Zero Touch installation with
### Enable PXE on the distribution point
->[!IMPORTANT]
->Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
+> [!IMPORTANT]
+> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
-```
+```powershell
WDSUTIL /Set-Server /AnswerClients:None
```
1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
(Get-NetAdapter "Ethernet").MacAddress
```
- >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
+
+ > If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
2. In the Microsoft Endpoint Configuration Manager console, in the **Administration** workspace, click **Distribution Points**.
3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
@@ -325,13 +330,12 @@ WDSUTIL /Set-Server /AnswerClients:None
- **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
See the following example:
-
-
+ 
5. Click **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
- ```
+ ```powershell
cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
abortpxe.com
@@ -342,31 +346,32 @@ WDSUTIL /Set-Server /AnswerClients:None
wdsmgfw.efi
wdsnbp.com
```
+
>If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
>You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
- ```
+ ```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
```
The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
- Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
+ `Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"`
Once the files are present in the REMINST share location, you can close the cmtrace tool.
-### Create a branding image file
+### Create a branding image file
1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
2. Type the following command at an elevated Windows PowerShell prompt:
+ ```powershell
+ Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp"
```
- copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
- ```
+
>You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-
-### Create a boot image for Configuration Manager
+### Create a boot image for Configuration Manager
1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
@@ -380,13 +385,13 @@ WDSUTIL /Set-Server /AnswerClients:None
9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
```
-
+
In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
- ```
+ ```console
STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
```
@@ -395,7 +400,7 @@ WDSUTIL /Set-Server /AnswerClients:None
13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
- ```
+ ```console
cmd /c dir /s /b C:\RemoteInstall\SMSImages
C:\RemoteInstall\SMSImages\PS100004
@@ -414,9 +419,10 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
- ```
+ ```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
+
2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
@@ -424,12 +430,12 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
5. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
+ - Deployment share path: **C:\MDTBuildLab**
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
- Confirmation: click **Finish**
6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
@@ -438,19 +444,19 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
-8. Use the following settings for the Import Operating System Wizard:
- - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
+8. Use the following settings for the Import Operating System Wizard:
+ - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
- Summary: click **Next**
- Confirmation: click **Finish**
9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
+ - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
- Template: **Standard Client Task Sequence**
- Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- Specify Product Key: **Do not specify a product key at this time**
@@ -467,7 +473,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again.
-14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
+14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
@@ -480,7 +486,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
19. Replace the default rules with the following text:
- ```
+ ```ini
[Settings]
Priority=Default
@@ -515,7 +521,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
- ```
+ ```ini
[Settings]
Priority=Default
@@ -535,17 +541,18 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
- >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
+ >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
- ```
- New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
+ ```powershell
+ New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
Start-VM REFW10X64-001
vmconnect localhost REFW10X64-001
```
+
26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
@@ -560,13 +567,13 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
- Capture the installation to a Windows Imaging (WIM) file.
- Turn off the virtual machine.
- This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
+ This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
### Add a Windows 10 operating system image
1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
```
@@ -599,18 +606,18 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
- Join a domain: **contoso.com**
- Account: click **Set**
- User name: **contoso\CM_JD**
- - Password: pass@word1
- - Confirm password: pass@word1
+ - Password: **pass@word1**
+ - Confirm password: **pass@word1**
- Click **OK**
- Windows Settings
- User name: **Contoso**
- Organization name: **Contoso**
- Product key: \
- Administrator Account: **Enable the account and specify the local administrator password**
- - Password: pass@word1
- - Confirm password: pass@word1
+ - Password: **pass@word1**
+ - Confirm password: **pass@word1**
- Click **Next**
-
+
5. On the Capture Settings page, accept the default settings and click **Next**.
6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**.
@@ -645,28 +652,27 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**.
-5. Configure the **Request State Store** action that was just added with the following settings:
- - Request state storage location to: **Restore state from another computer**
- - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **Apply** .
+5. Configure the **Request State Store** action that was just added with the following settings:
+ - Request state storage location to: **Restore state from another computer**
+ - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**
+ - Click **Apply**
6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**.
-7. Configure the **Release State Store** action that was just added with the following settings:
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **OK** .
-
+7. Configure the **Release State Store** action that was just added with the following settings:
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**
+ - Click **OK**
### Finalize the operating system configuration
@@ -675,26 +681,27 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**.
2. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTProduction**
- - Share name: **MDTProduction$**
- - Deployment share description: **MDT Production**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
+ - Deployment share path: **C:\MDTProduction**
+ - Share name: **MDTProduction$**
+ - Deployment share description: **MDT Production**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
- Confirmation: click **Finish**
-3. Right-click the **MDT Production** deployment share, and click **Properties**.
+3. Right-click the **MDT Production** deployment share, and click **Properties**.
4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
```
+
6. Replace the contents of the file with the following text, and then save the file:
- ```
+ ```ini
[Settings]
Priority=Default
Properties=OSDMigrateConfigFiles,OSDMigrateMode
@@ -712,11 +719,10 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
>As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts:
- ```
+ ```ini
OSDMigrateAdditionalCaptureOptions=/all
```
-
7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears.
8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**.
@@ -727,14 +733,14 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
### Create a deployment for the task sequence
-1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**.
+1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**.
2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**.
-3. On the Deployment Settings page, use the following settings:
- - Purpose: **Available**
- - Make available to the following: **Only media and PXE**
- - Click **Next**.
+3. On the Deployment Settings page, use the following settings:
+ - Purpose: **Available**
+ - Make available to the following: **Only media and PXE**
+ - Click **Next**.
4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
5. Click **Close**.
@@ -745,7 +751,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
- ```
+ ```powershell
New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
Start-VM PC4
@@ -754,18 +760,18 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
2. Press ENTER when prompted to start the network boot service.
-3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**.
+3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**.
4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
-5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
+5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
- - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted.
- - x:\smstslog\smsts.log after disks are formatted.
- - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Configuration Manager client is installed.
- - c:\windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Configuration Manager client is installed.
- - c:\windows\ccm\logs\smsts.log when the task sequence is complete.
+ - X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted.
+ - X:\smstslog\smsts.log after disks are formatted.
+ - C:\\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Configuration Manager client is installed.
+ - C:\Windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Configuration Manager client is installed.
+ - C:\Windows\ccm\logs\smsts.log when the task sequence is complete.
Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open.
@@ -783,14 +789,14 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
- Join the computer to the contoso.com domain
- Install any applications that were specified in the reference image
-
12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image.
14. Shut down the PC4 VM.
->Note: The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete.
+> [!NOTE]
+> The following two procedures 1) Replace a client with Windows 10 and 2) Refresh a client with Windows 10 have been exchanged in their order in this guide compared to the previous version. This is to avoid having to restore Hyper-V checkpoints to have access to PC1 before the OS is upgraded. If this is your first time going through this guide, you won't notice any change, but if you have tried the guide previously then this change should make it simpler to complete.
## Replace a client with Windows 10 using Configuration Manager
@@ -823,7 +829,7 @@ In the replace procedure, PC1 will not be migrated to a new operating system. It
Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-```
+```powershell
New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20
Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
@@ -837,64 +843,66 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
- ```
+ ```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**.
4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times.
-6. When a popup dialog box asks if you want to run full discovery, click **Yes**.
+6. When a popup dialog box asks if you want to run full discovery, click **Yes**.
7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
>If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console.
-
+
The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next.
8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt:
- ```
+ ```dos
sc stop ccmsetup
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
```
+
>If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/).
-9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue:
+9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type:
- ```
+ ```dos
net stop wuauserv
net stop BITS
```
Verify that both services were stopped successfully, then type the following at an elevated command prompt:
- ```
+ ```dos
del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
net start BITS
bitsadmin /list /allusers
```
- Verify that BITSAdmin displays 0 jobs.
+ Verify that BITSAdmin displays 0 jobs.
10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt:
- ```
+ ```dos
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1
```
-11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
+
+11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
- ```
+ ```powershell
Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait
```
-
+
Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
-13. On PC1, open the Configuration Manager control panel applet by typing the following command:
+13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
- ```
+ ```dos
control smscfgrc
```
@@ -917,14 +925,14 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- - General > Name: **Install Windows 10 Enterprise x64**
- - General > Limiting collection: **All Systems**
- - Membership Rules > Add Rule: **Direct Rule**
- - The **Create Direct Membership Rule Wizard** opens, click **Next**
- - Search for Resources > Resource class: **System Resource**
- - Search for Resources > Attribute name: **Name**
- - Search for Resources > Value: **%**
- - Select Resources > Value: Select the computername associated with the PC1 VM
+ - General > Name: **Install Windows 10 Enterprise x64**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM
- Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close)
3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
@@ -932,17 +940,16 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**.
5. Use the following settings in the Deploy Software wizard:
- - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
- - Deployment Settings > Purpose: **Available**
- - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
- - Scheduling > Click **Next**
- - User Experience > Click **Next**
- - Alerts > Click **Next**
- - Distribution Points > Click **Next**
- - Summary > Click **Next**
+ - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
+ - Deployment Settings > Purpose: **Available**
+ - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
+ - Scheduling > Click **Next**
+ - User Experience > Click **Next**
+ - Alerts > Click **Next**
+ - Distribution Points > Click **Next**
+ - Summary > Click **Next**
- Verify that the wizard completed successfully and then click **Close**
-
### Associate PC4 with PC1
1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**.
@@ -977,14 +984,14 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- - General > Name: **USMT Backup (Replace)**
- - General > Limiting collection: **All Systems**
- - Membership Rules > Add Rule: **Direct Rule**
- - The **Create Direct Membership Rule Wizard** opens, click **Next**
- - Search for Resources > Resource class: **System Resource**
- - Search for Resources > Attribute name: **Name**
- - Search for Resources > Value: **%**
- - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
+ - General > Name: **USMT Backup (Replace)**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
- Click **Next** twice and then click **Close** in both windows.
3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed.
@@ -992,27 +999,29 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Create a new deployment
In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings:
-- General > Collection: **USMT Backup (Replace)**
-- Deployment Settings > Purpose: **Available**
-- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
-- Scheduling: Click **Next**
-- User Experience: Click **Next**
-- Alerts: Click **Next**
-- Distribution Points: Click **Next**
+
+- General > Collection: **USMT Backup (Replace)**
+- Deployment Settings > Purpose: **Available**
+- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
+- Scheduling: Click **Next**
+- User Experience: Click **Next**
+- Alerts: Click **Next**
+- Distribution Points: Click **Next**
- Click **Next** and then click **Close**.
### Verify the backup
-1. On PC1, open the Configuration Manager control panel applet by typing the following command:
+1. On PC1, open the Configuration Manager control panel applet by typing the following command in a command prompt:
- ```
+ ```dos
control smscfgrc
```
+
2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure.
3. Type the following at an elevated command prompt to open the Software Center:
- ```
+ ```dos
C:\Windows\CCM\SCClient.exe
```
@@ -1029,18 +1038,19 @@ In the Configuration Manager console, in the Software Library workspace under Op
1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
- ```
+ ```powershell
Start-VM PC4
vmconnect localhost PC4
```
-2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**.
-3. Choose the **Windows 10 Enterprise X64** image.
-4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
-5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs.
+
+1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and click **Next**.
+1. Choose the **Windows 10 Enterprise X64** image.
+1. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
+1. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs.
To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
- ```
+ ```powershell
Checkpoint-VM -Name DC1 -SnapshotName cm-refresh
Checkpoint-VM -Name SRV1 -SnapshotName cm-refresh
Checkpoint-VM -Name PC1 -SnapshotName cm-refresh
@@ -1048,7 +1058,6 @@ In the Configuration Manager console, in the Software Library workspace under Op
## Refresh a client with Windows 10 using Configuration Manager
-
### Initiate the computer refresh
1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
@@ -1060,16 +1069,14 @@ In the Configuration Manager console, in the Software Library workspace under Op
The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example:
- 
-
- You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
-
+ 
+
+ You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
+
When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
-
-
## Related Topics
[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides)
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index e86a065bf5..6b3110a329 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -3,6 +3,7 @@ title: Configure a test lab to deploy Windows 10
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
ms.prod: w10
@@ -12,7 +13,6 @@ ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt, sccm
ms.localizationpriority: medium
audience: itpro
-author: greg-lindsay
ms.topic: article
---
@@ -22,7 +22,12 @@ ms.topic: article
- Windows 10
-This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
+This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources.
+
+> [!NOTE]
+> Microsoft also offers a pre-configured lab using an evaluation version of Configuration Manager. For more information, see [Windows and Office deployment and management lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab).
+
+This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
@@ -144,7 +149,7 @@ Hardware requirements are displayed below:
The lab architecture is summarized in the following diagram:
-
+
- Computer 1 is configured to host four VMs on a private, PoC network.
- Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
@@ -218,7 +223,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
- 
+ 
@@ -443,7 +448,7 @@ Notes:
3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -476,7 +481,7 @@ Notes:
5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -500,7 +505,7 @@ Notes:
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -815,7 +820,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
- 
+ 
>If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
@@ -873,7 +878,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
See the following example:
- 
+ 
19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index 412dceea4f..bd8b4b1db5 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -1,90 +1,91 @@
----
-title: Switch to Windows 10 Pro/Enterprise from S mode
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
-keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.prod: w10
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Switch to Windows 10 Pro or Enterprise from S mode
-
-We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
-
-
-A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
-
-
-
-
-| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | |
-|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------|
-| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) |
-| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Not by this method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Home |
-| | Home | Not by any method | Not by any method | Not by any method |
-
-
-Use the following information to switch to Windows 10 Pro through the Microsoft Store.
-> [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
-
-## Switch one device through the Microsoft Store
-Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
-
-Note these differences affecting switching modes in various releases of Windows 10:
-
-- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
-- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
-- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
-
-
-1. Sign into the Microsoft Store using your Microsoft account.
-2. Search for "S mode".
-3. In the offer, select **Buy**, **Get**, or **Learn more.**
-
-You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
-
-## Switch one or more devices by using Microsoft Intune
-
-Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
-
-1. Start Microsoft Intune.
-2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
-3. Follow the instructions to complete the switch.
-
-
-## Block users from switching
-
-You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
-To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
-
-## S mode management with CSPs
-
-In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
-
-
-## Related topics
-
-[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
-[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune)
+---
+title: Switch to Windows 10 Pro/Enterprise from S mode
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
+keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Switch to Windows 10 Pro or Enterprise from S mode
+
+We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
+
+
+A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
+
+
+
+
+| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | |
+|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------|
+| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) |
+| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method |
+| | Pro | Pro EDU | Not by any method | Not by any method |
+| | Home | Not by any method | Not by any method | Not by any method |
+| | | | | |
+| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method |
+| | Pro | Pro EDU | Not by any method | Not by any method |
+| | Home in S mode | Not by any method | Home | Not by this method |
+| | Home | Not by any method | Not by any method | Not by any method |
+| | | | | |
+| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro |
+| | Pro | Pro EDU | Not by any method | Not by any method |
+| | Home in S mode | Not by any method | Home | Home |
+| | Home | Not by any method | Not by any method | Not by any method |
+
+
+Use the following information to switch to Windows 10 Pro through the Microsoft Store.
+> [!IMPORTANT]
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+
+## Switch one device through the Microsoft Store
+Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
+
+Note these differences affecting switching modes in various releases of Windows 10:
+
+- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
+- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
+- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
+
+
+1. Sign into the Microsoft Store using your Microsoft account.
+2. Search for "S mode".
+3. In the offer, select **Buy**, **Get**, or **Learn more.**
+
+You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
+
+## Switch one or more devices by using Microsoft Intune
+
+Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
+
+1. Start Microsoft Intune.
+2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
+3. Follow the instructions to complete the switch.
+
+
+## Block users from switching
+
+You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
+To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
+
+## S mode management with CSPs
+
+In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
+
+
+## Related topics
+
+[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
+[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune)
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index 861ef1b1ad..d8d6f47273 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -1,97 +1,98 @@
----
-title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
-description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
-ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Windows ADK for Windows 10 scenarios for IT Pros
-
-
-The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
-
-In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
-
-Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
-
-### Create a Windows image using command-line tools
-
-[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
-
-Here are some things you can do with DISM:
-
-- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
-- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
-- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
-- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
-- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
-- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
-- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
-
-[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
-
-Here are some things you can do with Sysprep:
-
-- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
-- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
-- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
-
-[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
-
-Here are ways you can create a WinPE image:
-
-- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
-- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
-
-[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
-
-Here are some things you can do with Windows RE:
-
-- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
-- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
-
-[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
-
-Here are some things you can do with Windows SIM:
-
-- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
-- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
-- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
-- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
-
-For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
-
-### Create a Windows image using Windows ICD
-
-Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
-
-Here are some things you can do with Windows ICD:
-
-- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
-- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
-- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
-
-### IT Pro Windows deployment tools
-
-There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
-
-- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
-- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
+description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Windows ADK for Windows 10 scenarios for IT Pros
+
+
+The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
+
+In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
+
+Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
+
+### Create a Windows image using command-line tools
+
+[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
+
+Here are some things you can do with DISM:
+
+- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
+- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
+- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
+- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
+- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
+- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
+- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
+
+[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
+
+Here are some things you can do with Sysprep:
+
+- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
+- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
+- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
+
+[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
+
+Here are ways you can create a WinPE image:
+
+- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
+- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
+
+[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
+
+Here are some things you can do with Windows RE:
+
+- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
+- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
+
+[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
+
+Here are some things you can do with Windows SIM:
+
+- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
+- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
+- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
+- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
+
+For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
+
+### Create a Windows image using Windows ICD
+
+Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
+
+Here are some things you can do with Windows ICD:
+
+- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
+- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
+- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
+
+### IT Pro Windows deployment tools
+
+There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
+
+- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
+- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index a9089d86bc..91aaa460e8 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -5,13 +5,13 @@ ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
ms.reviewer:
manager: laurawi
ms.audience: itpro
+ms.author: greglin
author: greg-lindsay
keywords: deploy, volume activation, BitLocker, recovery, install, installation, VAMT, MDT, USMT, WDS
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
audience: itpro
-author: greg-lindsay
ms.topic: article
---
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 61f9a5cf61..fe1e8ae442 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -64,10 +64,10 @@ A final set of changes includes two new policies that can help you fine-tune dia
- The **Limit dump collection** policy is a new policy that can be used to limit the types of [crash dumps](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection**
- - MDM policy: System/ LimitDiagnosticLogCollection
+ - MDM policy: System/LimitDumpCollection
- The **Limit diagnostic log collection** policy is another new policy that limits the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft.
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection**
- - MDM policy: System/LimitDumpCollection
+ - MDM policy: System/LimitDiagnosticLogCollection
>[!Important]
>All of the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier.
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index ba4a8aff28..d53f7dc795 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -152,7 +152,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
1. [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate). Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)**
1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)**
1. **Windows Update Delivery Optimization** - The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
- 1. [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode). Let’s you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)**
+ 1. [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode). Let’s you choose where Delivery Optimization gets or sends updates and apps. **Set to 99 (ninety-nine)**
1. **Windows Update**
1. [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Control automatic updates. **Set to 5 (five)**
1. Windows Update Allow Update Service - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)**
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 9969fd5ca2..956ca7dc78 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -107,7 +107,7 @@ The following table lists management options for each setting, beginning with Wi
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
-| [28. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |
+| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
| [29. Windows Update](#bkmk-wu) | |  |  |
@@ -217,7 +217,7 @@ See the following table for a summary of the management settings for Windows Ser
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
| [27. Apps for websites](#bkmk-apps-for-websites) | |  | |
-| [28. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |
+| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
| [29. Windows Update](#bkmk-wu) | |  |  |
## How to configure each setting
@@ -415,7 +415,7 @@ To turn off Insider Preview builds for Windows 10:
### 8. Internet Explorer
> [!NOTE]
->When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/en-us/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
+>When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@@ -1458,15 +1458,15 @@ To turn this Off in the UI:
-OR-
-- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)**
+- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
-and-
-- Create a REG_DWORD registry setting named **PublishUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)**
+- Create a REG_DWORD registry setting named **PublishUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
-and-
-- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)**
+- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
### 18.23 Voice Activation
@@ -1560,7 +1560,7 @@ To turn off Messaging cloud sync:
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](https://technet.microsoft.com/library/cc722030.aspx).
>[!NOTE]
->If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
+>If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
@@ -1664,7 +1664,7 @@ You can turn off **Enhanced Notifications** as follows:
### 24.1 Windows Defender SmartScreen
-To disable Windows Defender Smartscreen:
+To disable Windows Defender SmartScreen:
In Group Policy, configure:
@@ -1809,19 +1809,19 @@ You can turn off apps for websites, preventing customers who visit websites that
- Create a new REG_DWORD registry setting named **EnableAppUriHandlers** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**.
-### 28. Windows Update Delivery Optimization
+### 28. Delivery Optimization
-Windows Update Delivery Optimization lets you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
+Delivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
-By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
+By default, PCs running Windows 10 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization.
-In Windows 10 version 1607 and above you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Bypass** (99), as described below.
+In Windows 10 version 1607 and above you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below.
### 28.1 Settings > Update & security
-You can set up Delivery Optimization from the **Settings** UI.
+You can set up Delivery Optimization Peer-to-Peer from the **Settings** UI.
- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
@@ -1837,9 +1837,12 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size. The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. The default value is 0, which means unlimited possible bandwidth.|
+
+For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference).
+
### 28.3 Delivery Optimization
-- **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Bypass"** to prevent traffic.
+- **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Simple Mode (99)"** to prevent traffic between peers as well as traffic back to the Delivery Optimization Cloud Service.
-or-
@@ -1848,6 +1851,9 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
+For IT Professionals, information about Delivery Optimization is available here: [Delivery Optimization for Windows 10 updates]
+(https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization).
+
### 29. Windows Update
You can turn off Windows Update by setting the following registry entries:
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index af34673c47..a2fffa2486 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -138,6 +138,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*|
|||HTTP|msagfx.live.com|
|||HTTPS|oneclient.sfx.ms|
+|||HTTP| windows.policies.live.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||HTTPS|cy2.settings.data.microsoft.com.akadns.net|
|||HTTPS|settings.data.microsoft.com|
@@ -167,6 +168,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com|
|||HTTPS|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com|
## Other Windows 10 editions
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index 92f03d2111..ba34b2d47b 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -96,6 +96,7 @@ The following methodology was used to derive these network endpoints:
|||TLS v1.2|*g.live.com|
|||HTTPS|oneclient.sfx.ms|
|||HTTPS| logincdn.msauth.net|
+|||HTTP| windows.policies.live.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLS v1.2|settings-win.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
@@ -117,6 +118,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTP|*.delivery.mp.microsoft.com|
|||HTTPS/TLS v1.2|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS/TLS v1.2|tsfe.trafficshaping.dsp.mp.microsoft.com|
## Other Windows 10 editions
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 01990ccba5..5c4ad7c28d 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -71,7 +71,6 @@ The following methodology was used to derive these network endpoints:
|||HTTPS|*licensing.mp.microsoft.com|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2|*maps.windows.com|
-|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2|*login.live.com|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com|
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 42ac740880..da656fd6ef 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 03/27/2020
+ms.date: 08/31/2020
---
@@ -38,6 +38,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@@ -52,28 +53,290 @@ You can learn more about Windows functional and diagnostic data through these ar
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
-This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
+- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_21H1** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_21H1** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_21H1** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device.
+- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_21H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_21H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_21H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_21H1** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
+- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device.
+- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_21H1** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_21H1** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_21H1** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_21H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device.
+- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_21H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device.
+- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device.
+- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_21H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_21H1** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device.
+- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_21H1** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
+- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device.
+- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device.
+- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device.
+- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device.
+- **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionTest_21H1** The count of the number of this particular object type present on this device.
- **DecisionTest_21H1Setup** The count of the number of this particular object type present on this device.
+- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
+- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
+- **InventorySystemBios** The count of the number of this particular object type present on this device.
+- **InventoryTest** The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
- **PCFP** The count of the number of this particular object type present on this device.
+- **SystemMemory** The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
+- **SystemProcessorNx** The total number of objects of this type present on this device.
+- **SystemProcessorPrefetchW** The total number of objects of this type present on this device.
+- **SystemProcessorSse2** The total number of objects of this type present on this device.
+- **SystemTouch** The count of the number of this particular object type present on this device.
+- **SystemWim** The total number of objects of this type present on this device.
+- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device.
+- **SystemWlan** The total number of objects of this type present on this device.
+- **Wmdrm_19H1** The count of the number of this particular object type present on this device.
+- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device.
+- **Wmdrm_20H1** The count of the number of this particular object type present on this device.
+- **Wmdrm_20H1Setup** The total Wmdrm objects targeting the next release of Windows on this device.
+- **Wmdrm_21H1** The count of the number of this particular object type present on this device.
- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device.
+- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
+- **Wmdrm_RS5** The count of the number of this particular object type present on this device.
+- **Wmdrm_TH1** The count of the number of this particular object type present on this device.
+- **Wmdrm_TH2** The count of the number of this particular object type present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
+
+This event represents the basic metadata about specific application files installed on the system. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **AvDisplayName** If the app is an anti-virus app, this is its display name.
+- **CompatModelIndex** The compatibility prediction for this file.
+- **HasCitData** Indicates whether the file is present in CIT data.
+- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file.
+- **IsAv** Is the file an anti-virus reporting EXE?
+- **ResolveAttempted** This will always be an empty string when sending diagnostic data.
+- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
@@ -85,27 +348,16 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
- **ActiveNetworkConnection** Indicates whether the device is an active network device.
-- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system.
-- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available.
-- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string
-- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data.
+- **AppraiserVersion** The version of the appraiser file generating the events.
- **IsBootCritical** Indicates whether the device boot is critical.
-- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device.
- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update.
- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update.
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
-This event sends compatibility database data about driver packages to help keep Windows up to date.
-
-This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+This event indicates that the DatasourceDevicePnp object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -114,11 +366,1316 @@ The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **ResolveAttempted** This will always be an empty string when sending diagnostic data.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events has completed being sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
+
+This event sends compatibility decision data about a file to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
+- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
+- **DisplayGenericMessage** Will be a generic message be shown for this file?
+- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file.
+- **HardBlock** This file is blocked in the SDB.
+- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
+- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
+- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
+- **NeedsDismissAction** Will the file cause an action that can be dismissed?
+- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
+- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade?
+- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app.
+- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade.
+- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB,
+- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade.
+- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
+- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SoftBlock** The file is softblocked in the SDB and has a warning.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates that the DecisionApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
+
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent. This event is used to make compatibility decisions about a file to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked?
+- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
+- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
+- **BlockingDevice** Is this PNP device blocking upgrade?
+- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
+- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
+- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device.
+- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
+
+This event Indicates that the DecisionDevicePnp object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+This event indicates that a new set of DecisionDevicePnpAdd events will be sent. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
+
+This event sends decision data about driver package compatibility to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package.
+- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block?
+- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block?
+- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block.
+- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
+- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+The DecisionDriverPackageStartSync event indicates that a new set of DecisionDriverPackageAdd events will be sent. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
+
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage** Will a generic message be shown for this block?
+- **NeedsDismissAction** Will the file cause an action that can be dismissed?
+- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade** Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag?
+- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks.
+- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
+
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
+
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
+
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center?
+- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
+- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterInUse** Is Windows Media Center actively being used?
+- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition?
+- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
+
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
+
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device blocked from upgrade due to a BIOS block?
+- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios.
+- **HasBiosBlock** Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **NewData** The data in the registry value after the scan completed.
+- **OldData** The previous data in the registry value before the scan ran.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **RegKey** The registry key name for which a result is being sent.
+- **RegValue** The registry value for which a result is being sent.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **AvDisplayName** If the app is an antivirus app, this is its display name.
+- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
+- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName** The company name of the vendor who developed this file.
+- **FileId** A hash that uniquely identifies a file.
+- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file.
+- **IsAv** Indicates whether the file an antivirus reporting EXE.
+- **LinkDate** The date and time that this file was linked on.
+- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
+- **Name** The name of the file that was inventoried.
+- **ProductName** The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion** The Product version field from the file metadata under Properties -> Details.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size** The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **HasLanguagePack** Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount** The number of language packs are installed.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **EverLaunched** Has Windows Media Center ever been launched?
+- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch?
+- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files?
+- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported** Does the running OS support Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
+
+This event indicates that the InventoryMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
+
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **biosDate** The release date of the BIOS in UTC format.
+- **BiosDate** The release date of the BIOS in UTC format.
+- **biosName** The name field from Win32_BIOS.
+- **BiosName** The name field from Win32_BIOS.
+- **manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **Manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **model** The model field from Win32_ComputerSystem.
+- **Model** The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It is critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BootCritical** Is the driver package marked as boot critical?
+- **Build** The build value from the driver package.
+- **CatalogFile** The name of the catalog file within the driver package.
+- **Class** The device class from the driver package.
+- **ClassGuid** The device class unique ID from the driver package.
+- **Date** The date from the driver package.
+- **Inbox** Is the driver package of a driver that is included with Windows?
+- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU.
+- **Provider** The provider of the driver package.
+- **PublishedName** The name of the INF file after it was renamed.
+- **Revision** The revision of the driver package.
+- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
+- **VersionMajor** The major version of the driver package.
+- **VersionMinor** The minor version of the driver package.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event is sent at the beginning of an appraiser run, the RunContext indicates what should be expected in the following data payload. This event is used with the other Appraiser events to make compatibility decisions to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **CensusId** A unique hardware identifier.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated** Was a memory requirement violated?
+- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram** The amount of memory on the device.
+- **ramKB** The amount of memory (in KB).
+- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB** The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **CompareExchange128Support** Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **LahfSahfSupport** Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport** Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **PrefetchWSupport** Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWEndSync
+
+Deprecated in RS3. This event indicates that a full set of SystemProcessorPrefetchWAdd events has been sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport** Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer?
+- **MaximumTouches** The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchRemove
+
+This event indicates that the SystemTouch object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IsWimBoot** Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimEndSync
+
+Deprecated in RS3. This event indicates that a full set of SystemWimAdd events has been sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision** Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver** Does the device have an emulated WLAN driver?
+- **WlanExists** Does the device support WLAN at all?
+- **WlanModulePresent** Are any WLAN modules present?
+- **WlanNativeDriver** Does the device have a non-emulated WLAN driver?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
+
+This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal** Obsolete, always set to false.
+- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **CountCustomSdbs** The number of custom Sdbs used by Appraiser.
+- **CustomSdbGuids** Guids of the custom Sdbs used by Appraiser; Semicolon delimited list.
+- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InboxDataVersion** The original version of the data files before retrieving any newer version.
+- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated.
+- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The hresult of the Appraiser diagnostic data run.
+- **ScheduledUploadDay** The day scheduled for the upload.
+- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
+- **StoreHandleIsNotNull** Obsolete, always set to false
+- **TelementrySent** Indicates whether diagnostic data was successfully sent.
+- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
+- **Time** The client time of the event.
+- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Same as NeedsDismissAction.
+- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult** Raw value of the API used to gather DRM state.
+- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
+
+The WmdrmStartSync event indicates that a new set of WmdrmAdd events will be sent. This event is used to understand the usage of older digital rights management on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+## Audio endpoint events
+
+### MicArrayGeometry
+
+This event provides information about the layout of the individual microphone elements in the microphone array.
+
+The following fields are available:
+
+- **MicCoords** The location and orientation of the microphone element.
+- **usFrequencyBandHi** The high end of the frequency range for the microphone.
+- **usFrequencyBandLo** The low end of the frequency range for the microphone.
+- **usMicArrayType** The type of the microphone array.
+- **usNumberOfMicrophones** The number of microphones in the array.
+- **usVersion** The version of the microphone array specification.
+- **wHorizontalAngleBegin** The horizontal angle of the start of the working volume (reported as radians times 10,000).
+- **wHorizontalAngleEnd** The horizontal angle of the end of the working volume (reported as radians times 10,000).
+- **wVerticalAngleBegin** The vertical angle of the start of the working volume (reported as radians times 10,000).
+- **wVerticalAngleEnd** The vertical angle of the end of the working volume (reported as radians times 10,000).
+
+### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo
+
+This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BusEnumeratorName** The name of the bus enumerator (for example, HDAUDIO or USB).
+- **ContainerId** An identifier that uniquely groups the functional devices associated with a single-function or multifunction device.
+- **DeviceInstanceId** The unique identifier for this instance of the device.
+- **EndpointDevnodeId** The IMMDevice identifier of the associated devnode.
+- **endpointEffectClsid** The COM Class Identifier (CLSID) for the endpoint effect audio processing object.
+- **endpointEffectModule** Module name for the endpoint effect audio processing object.
+- **EndpointFormFactor** The enumeration value for the form factor of the endpoint device (for example speaker, microphone, remote network device).
+- **endpointID** The unique identifier for the audio endpoint.
+- **endpointInstanceId** The unique identifier for the software audio endpoint. Used for joining to other audio event.
+- **Flow** Indicates whether the endpoint is capture (1) or render (0).
+- **globalEffectClsid** COM Class Identifier (CLSID) for the legacy global effect audio processing object.
+- **globalEffectModule** Module name for the legacy global effect audio processing object.
+- **HWID** The hardware identifier for the endpoint.
+- **isAudioPostureSupported** Represents whether the device supports AudioPosture.
+- **IsBluetooth** Indicates whether the device is a Bluetooth device.
+- **isFarField** A flag indicating whether the microphone endpoint is capable of hearing far field audio.
+- **IsSideband** Indicates whether the device is a sideband device.
+- **IsUSB** Indicates whether the device is a USB device.
+- **JackSubType** A unique ID representing the KS node type of the endpoint.
+- **localEffectClsid** The COM Class Identifier (CLSID) for the legacy local effect audio processing object.
+- **localEffectModule** Module name for the legacy local effect audio processing object.
+- **MicArrayGeometry** Describes the microphone array, including the microphone position, coordinates, type, and frequency range. See [MicArrayGeometry](#micarraygeometry).
+- **modeEffectClsid** The COM Class Identifier (CLSID) for the mode effect audio processing object.
+- **modeEffectModule** Module name for the mode effect audio processing object.
+- **persistentId** A unique ID for this endpoint which is retained across migrations.
+- **streamEffectClsid** The COM Class Identifier (CLSID) for the stream effect audio processing object.
+- **streamEffectModule** Module name for the stream effect audio processing object.
+
+
## Census events
+### Census.App
+
+This event sends version data about the Apps running on this device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run.
+- **AppraiserErrorCode** The error code of the last Appraiser run.
+- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run.
+- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed.
+- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run.
+- **AppraiserTaskEnabled** Whether the Appraiser task is enabled.
+- **AppraiserTaskExitCode** The Appraiser task exist code.
+- **AppraiserTaskLastRun** The last runtime for the Appraiser task.
+- **CensusVersion** The version of Census that generated the current data for this device.
+
+
+### Census.Azure
+
+This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **CloudCoreBuildEx** The Azure CloudCore build number.
+- **CloudCoreSupportBuildEx** The Azure CloudCore support build number.
+- **NodeID** The node identifier on the device that indicates whether the device is part of the Azure fleet.
+
+
+### Census.Battery
+
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **InternalBatteryCapablities** Represents information about what the battery is capable of doing.
+- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear.
+- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh.
+- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+
+
+### Census.Enterprise
+
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **AADDeviceId** Azure Active Directory device ID.
+- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
+- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
+- **CDJType** Represents the type of cloud domain joined for the machine.
+- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **ContainerType** The type of container, such as process or virtual machine hosted.
+- **EnrollmentType** Defines the type of MDM enrollment on the device.
+- **HashedDomain** The hashed representation of the user domain used for login.
+- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsDERequirementMet** Represents if the device can do device encryption.
+- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
+- **IsEDPEnabled** Represents if Enterprise data protected on the device.
+- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
+- **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
+- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+
+
+### Census.Firmware
+
+This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS).
+- **FirmwareReleaseDate** Represents the date the current firmware was released.
+- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI.
+- **FirmwareVersion** Represents the version of the current firmware.
+
+
+### Census.Flighting
+
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **DriverTargetRing** Indicates if the device is participating in receiving pre-release drivers and firmware contrent.
+- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
+- **FlightIds** A list of the different Windows Insider builds on this device.
+- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
+- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
+- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
+- **SSRK** Retrieves the mobile targeting settings.
+
+
+### Census.Hardware
+
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ActiveMicCount** The number of active microphones attached to the device.
+- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
+- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
+- **D3DMaxFeatureLevel** Supported Direct3D version.
+- **DeviceForm** Indicates the form as per the device classification.
+- **DeviceName** The device name that is set by the user.
+- **DigitizerSupport** Is a digitizer supported?
+- **EnclosureKind** Windows.Devices.Enclosure.EnclosureKind enum values representing each unique enclosure posture kind.
+- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation).
+- **InventoryId** The device ID used for compatibility testing.
+- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass).
+- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.)
+- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
+- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
+- **OEMModelBaseBoard** The baseboard model used by the OEM.
+- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices.
+- **OEMModelName** The device model name.
+- **OEMModelNumber** The device model number.
+- **OEMModelSKU** The device edition that is defined by the manufacturer.
+- **OEMModelSystemFamily** The system family set on the device by an OEM.
+- **OEMModelSystemVersion** The system model version set on the device by the OEM.
+- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary.
+- **OEMSerialNumber** The serial number of the device that is set by the manufacturer.
+- **PhoneManufacturer** The friendly name of the phone manufacturer.
+- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
+- **SoCName** The firmware manufacturer of the device.
+- **StudyID** Used to identify retail and non-retail device.
+- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TPMManufacturerId** The ID of the TPM manufacturer.
+- **TPMManufacturerVersion** The version of the TPM manufacturer.
+- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
+
+
+### Census.Memory
+
+This event sends data about the memory on the device, including ROM and RAM. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **TotalPhysicalRAM** Represents the physical memory (in MB).
+- **TotalVisibleMemory** Represents the memory that is not reserved by the system.
+
+
+### Census.Network
+
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors). The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users.
+- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
+- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **NetworkAdapterGUID** The GUID of the primary network adapter.
+- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+
+
+### Census.OS
+
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
+- **AssignedAccessStatus** Kiosk configuration mode.
+- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
+- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
+- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
+- **GenuineState** Retrieves the ID Value specifying the OS Genuine check.
+- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **InstallLanguage** The first language installed on the user machine.
+- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode.
+- **IsEduData** Returns Boolean if the education data policy is enabled.
+- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
+- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
+- **LanguagePacks** The list of language packages installed on the device.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
+- **OSEdition** Retrieves the version of the current OS.
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
+- **OSSKU** Retrieves the Friendly Name of OS Edition.
+- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
+- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines.
+- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS.
+- **ProductActivationResult** Returns Boolean if the OS Activation was successful.
+- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues.
+- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key.
+- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy.
+- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy.
+- **ServiceProductKeyID** Retrieves the License key of the KMS
+- **SharedPCMode** Returns Boolean for education devices used as shared cart
+- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
+- **SLICStatus** Whether a SLIC table exists on the device.
+- **SLICVersion** Returns OS type/version from SLIC table.
+
+
### Census.PrivacySettings
-This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
+This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -161,9 +1718,32 @@ The following fields are available:
- **WiFiDirect** Current state of the Wi-Fi direct setting.
+### Census.Processor
+
+This event sends data about the processor. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **KvaShadow** This is the micro code information of the processor.
+- **MMSettingOverride** Microcode setting of the processor.
+- **MMSettingOverrideMask** Microcode setting override of the processor.
+- **PreviousUpdateRevision** Previous microcode revision
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
+- **ProcessorClockSpeed** Clock speed of the processor in MHz.
+- **ProcessorCores** Number of logical cores in the processor.
+- **ProcessorIdentifier** Processor Identifier of a manufacturer.
+- **ProcessorManufacturer** Name of the processor manufacturer.
+- **ProcessorModel** Name of the processor model.
+- **ProcessorPhysicalCores** Number of physical cores in the processor.
+- **ProcessorUpdateRevision** The microcode revision.
+- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status
+- **SocketCount** Count of CPU sockets.
+- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+
+
### Census.Security
-This event provides information on about security settings used to help keep Windows up to date and secure.
+This event provides information about security settings. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -176,6 +1756,7 @@ The following fields are available:
- **IsWdagFeatureEnabled** Indicates whether Windows Defender Application Guard is enabled.
- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **ShadowStack** The bit fields of SYSTEM_SHADOW_STACK_INFORMATION representing the state of the Intel CET (Control Enforcement Technology) hardware security feature.
- **SModeState** The Windows S mode trail state.
- **SystemGuardState** Indicates the SystemGuard state. NotCapable (0), Capable (1), Enabled (2), Error (0xFF).
- **TpmReadyState** Indicates the TPM ready state. NotReady (0), ReadyForStorage (1), ReadyForAttestation (2), Error (0xFF).
@@ -183,6 +1764,194 @@ The following fields are available:
- **WdagPolicyValue** The Windows Defender Application Guard policy.
+### Census.Speech
+
+This event is used to gather basic speech settings on the device. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KeyVer** Version information for the census speech event.
+- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference.
+
+
+### Census.Storage
+
+This event sends data about the total capacity of the system volume and primary disk. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB.
+- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device.
+- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
+
+
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CalendarType** The calendar identifiers that are used to specify different calendars.
+- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId** The ProgramId of the current user's default browser.
+- **LocaleName** Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function.
+- **LongDateFormat** The long date format the user has selected.
+- **ShortDateFormat** The short date format the user has selected.
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
+- **VRAMDedicated** Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
+
+
+### Census.UserNLS
+
+This event sends data about the default app language, input, and display language preferences set by the user. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DefaultAppLanguage** The current user Default App Language.
+- **DisplayLanguage** The current user preferred Windows Display Language.
+- **HomeLocation** The current user location, which is populated using GetUserGeoId() function.
+- **KeyboardInputLanguages** The Keyboard input languages installed on the device.
+- **SpeechInputLanguages** The Speech Input languages installed on the device.
+
+
+### Census.UserPrivacySettings
+
+This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **Activity** Current state of the activity history setting.
+- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting.
+- **ActivityHistoryCollection** Current state of the activity history collection setting.
+- **AdvertisingId** Current state of the advertising ID setting.
+- **AppDiagnostics** Current state of the app diagnostics setting.
+- **Appointments** Current state of the calendar setting.
+- **Bluetooth** Current state of the Bluetooth capability setting.
+- **BluetoothSync** Current state of the Bluetooth sync capability setting.
+- **BroadFileSystemAccess** Current state of the broad file system access setting.
+- **CellularData** Current state of the cellular data capability setting.
+- **Chat** Current state of the chat setting.
+- **Contacts** Current state of the contacts setting.
+- **DocumentsLibrary** Current state of the documents library setting.
+- **Email** Current state of the email setting.
+- **GazeInput** Current state of the gaze input setting.
+- **HumanInterfaceDevice** Current state of the human interface device setting.
+- **InkTypeImprovement** Current state of the improve inking and typing setting.
+- **InkTypePersonalization** Current state of the inking and typing personalization setting.
+- **Location** Current state of the location setting.
+- **LocationHistory** Current state of the location history setting.
+- **Microphone** Current state of the microphone setting.
+- **PhoneCall** Current state of the phone call setting.
+- **PhoneCallHistory** Current state of the call history setting.
+- **PicturesLibrary** Current state of the pictures library setting.
+- **Radios** Current state of the radios setting.
+- **SensorsCustom** Current state of the custom sensor setting.
+- **SerialCommunication** Current state of the serial communication setting.
+- **Sms** Current state of the text messaging setting.
+- **SpeechPersonalization** Current state of the speech services setting.
+- **USB** Current state of the USB setting.
+- **UserAccountInformation** Current state of the account information setting.
+- **UserDataTasks** Current state of the tasks setting.
+- **UserNotificationListener** Current state of the notifications setting.
+- **VideosLibrary** Current state of the videos library setting.
+- **Webcam** Current state of the camera setting.
+- **WifiData** Current state of the Wi-Fi data setting.
+- **WiFiDirect** Current state of the Wi-Fi direct setting.
+
+
+### Census.VM
+
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
+- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
+- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
+- **IsVDI** Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
+- **IsWVDSessionHost** Indicates if this is a Windows Virtual Device session host.
+- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
+- **VMId** A string that identifies a virtual machine.
+- **WVDEnvironment** Represents the WVD service environment to which this session host has been joined.
+
+
+### Census.WU
+
+This event sends data about the Windows update server and other App store policies. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading.
+- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
+- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
+- **IsHotPatchEnrolled** Represents the current state of the device in relation to enrollment in the hotpatch program.
+- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
+- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
+- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
+- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **OSRollbackCount** The number of times feature updates have rolled back on the device.
+- **OSRolledBack** A flag that represents when a feature update has rolled back during setup.
+- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device .
+- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
+- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default.
+- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
+- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades.
+- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WULCUVersion** Version of the LCU Installed on the machine.
+- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
+- **WUPauseState** Retrieves WU setting to determine if updates are paused.
+- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId** Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft.
+
+
## Common data extensions
### Common Data Extensions.app
@@ -354,8 +2123,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
-
-## Common data fields
+## Common Data Fields
### Ms.Device.DeviceInventoryChange
@@ -363,17 +2131,180 @@ Describes the installation state for all hardware and software components availa
The following fields are available:
-- **action** The change that was invoked on a device inventory object.
-- **inventoryId** Device ID used for Compatibility testing
-- **objectInstanceId** Object identity which is unique within the device scope.
-- **objectType** Indicates the object type that the event applies to.
-- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+
+## Component-based servicing events
+
+### CbsServicingProvider.CbsCapabilityEnumeration
+
+This event reports on the results of scanning for optional Windows content on Windows Update to keep Windows up to date.
+
+The following fields are available:
+
+- **architecture** Indicates the scan was limited to the specified architecture.
+- **capabilityCount** The number of optional content packages found during the scan.
+- **clientId** The name of the application requesting the optional content.
+- **duration** The amount of time it took to complete the scan.
+- **hrStatus** The HReturn code of the scan.
+- **language** Indicates the scan was limited to the specified language.
+- **majorVersion** Indicates the scan was limited to the specified major version.
+- **minorVersion** Indicates the scan was limited to the specified minor version.
+- **namespace** Indicates the scan was limited to packages in the specified namespace.
+- **sourceFilter** A bitmask indicating the scan checked for locally available optional content.
+- **stackBuild** The build number of the servicing stack.
+- **stackMajorVersion** The major version number of the servicing stack.
+- **stackMinorVersion** The minor version number of the servicing stack.
+- **stackRevision** The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionFinalize
+
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **capabilities** The names of the optional content packages that were installed.
+- **clientId** The name of the application requesting the optional content.
+- **currentID** The ID of the current install session.
+- **downloadSource** The source of the download.
+- **highestState** The highest final install state of the optional content.
+- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version.
+- **hrStatus** The HReturn code of the install operation.
+- **rebootCount** The number of reboots required to complete the install.
+- **retryID** The session ID that will be used to retry a failed operation.
+- **retryStatus** Indicates whether the install will be retried in the event of failure.
+- **stackBuild** The build number of the servicing stack.
+- **stackMajorVersion** The major version number of the servicing stack.
+- **stackMinorVersion** The minor version number of the servicing stack.
+- **stackRevision** The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsCapabilitySessionPended
+
+This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date.
+
+The following fields are available:
+
+- **clientId** The name of the application requesting the optional content.
+- **pendingDecision** Indicates the cause of reboot, if applicable.
+
+
+### CbsServicingProvider.CbsLateAcquisition
+
+This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **Features** The list of feature packages that could not be updated.
+- **RetryID** The ID identifying the retry attempt to update the listed packages.
+
+
+### CbsServicingProvider.CbsPackageRemoval
+
+This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion** The build number of the security update being uninstalled.
+- **clientId** The name of the application requesting the uninstall.
+- **currentStateEnd** The final state of the update after the operation.
+- **failureDetails** Information about the cause of a failure, if applicable.
+- **failureSourceEnd** The stage during the uninstall where the failure occurred.
+- **hrStatusEnd** The overall exit code of the operation.
+- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image.
+- **majorVersion** The major version number of the security update being uninstalled.
+- **minorVersion** The minor version number of the security update being uninstalled.
+- **originalState** The starting state of the update before the operation.
+- **pendingDecision** Indicates the cause of reboot, if applicable.
+- **primitiveExecutionContext** The state during system startup when the uninstall was completed.
+- **revisionVersion** The revision number of the security update being uninstalled.
+- **transactionCanceled** Indicates whether the uninstall was cancelled.
+
+
+### CbsServicingProvider.CbsQualityUpdateInstall
+
+This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion** The build version number of the update package.
+- **clientId** The name of the application requesting the optional content.
+- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device.
+- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure.
+- **currentStateEnd** The final state of the package after the operation has completed.
+- **doqTimeSeconds** The time in seconds spent updating drivers.
+- **executeTimeSeconds** The number of seconds required to execute the install.
+- **failureDetails** The driver or installer that caused the update to fail.
+- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred.
+- **hrStatusEnd** The return code of the install operation.
+- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file.
+- **majorVersion** The major version number of the update package.
+- **minorVersion** The minor version number of the update package.
+- **originalState** The starting state of the package.
+- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation.
+- **planTimeSeconds** The time in seconds required to plan the update operations.
+- **poqTimeSeconds** The time in seconds processing file and registry operations.
+- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update.
+- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot.
+- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed.
+- **rebootCount** The number of reboots required to install the update.
+- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update.
+- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update.
+- **revisionVersion** The revision version number of the update package.
+- **rptTimeSeconds** The time in seconds spent executing installer plugins.
+- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update.
+- **stackRevision** The revision number of the servicing stack.
+- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update.
+
+
+### CbsServicingProvider.CbsSelectableUpdateChangeV2
+
+This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date.
+
+The following fields are available:
+
+- **applicableUpdateState** Indicates the highest applicable state of the optional content.
+- **buildVersion** The build version of the package being installed.
+- **clientId** The name of the application requesting the optional content change.
+- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations.
+- **executionSequence** A counter that tracks the number of servicing operations attempted on the device.
+- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable.
+- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable.
+- **hrDownloadResult** The return code of the download operation.
+- **hrStatusUpdate** The return code of the servicing operation.
+- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled.
+- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows.
+- **majorVersion** The major version of the package being installed.
+- **minorVersion** The minor version of the package being installed.
+- **packageArchitecture** The architecture of the package being installed.
+- **packageLanguage** The language of the package being installed.
+- **packageName** The name of the package being installed.
+- **rebootRequired** Indicates whether a reboot is required to complete the operation.
+- **revisionVersion** The revision number of the package being installed.
+- **stackBuild** The build number of the servicing stack binary performing the installation.
+- **stackMajorVersion** The major version number of the servicing stack binary performing the installation.
+- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation.
+- **stackRevision** The revision number of the servicing stack binary performing the installation.
+- **updateName** The name of the optional Windows Operation System feature being enabled or disabled.
+- **updateStartState** A value indicating the state of the optional content before the operation started.
+- **updateTargetState** A value indicating the desired state of the optional content.
+
+
+### CbsServicingProvider.CbsUpdateDeferred
+
+This event reports the results of deferring Windows Content to keep Windows up to date.
+
-## Component-based Servicing events
### Microsoft.Windows.CbsLite.CbsLiteResetBegin
-This event is fired from Update OS when re-install of the OS begins.
+This event is fired from Update OS when re-install of the OS begins. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -381,31 +2312,273 @@ The following fields are available:
- **resetFlags** A flag containing the detail of which reset scenarios was executed.
- **wipeDuration** The time taken to purge the system volume and format data volume.
+
+## Diagnostic data events
+
+### TelClientSynthetic.AbnormalShutdown_0
+
+This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event.
+- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown.
+- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in.
+- **BatteryLevelAtLastShutdown** The last recorded battery level.
+- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown.
+- **CrashDumpEnabled** Are crash dumps enabled?
+- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset.
+- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported.
+- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware.
+- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware.
+- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware.
+- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware.
+- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not.
+- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType.
+- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset.
+- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not.
+- **InvalidBootStat** This is a sanity check flag that ensures the validity of the bootstat file.
+- **LastBugCheckBootId** bootId of the last captured crash.
+- **LastBugCheckCode** Code that indicates the type of error.
+- **LastBugCheckContextFlags** Additional crash dump settings.
+- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save.
+- **LastBugCheckOtherSettings** Other crash dump settings.
+- **LastBugCheckParameter1** The first parameter with additional info on the type of the error.
+- **LastBugCheckProgress** Progress towards writing out the last crash dump.
+- **LastBugCheckVersion** The version of the information struct written during the crash.
+- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown.
+- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button.
+- **OOBEInProgress** Identifies if OOBE is running.
+- **OSSetupInProgress** Identifies if the operating system setup is running.
+- **PowerButtonCumulativePressCount** How many times has the power button been pressed?
+- **PowerButtonCumulativeReleaseCount** How many times has the power button been released?
+- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics.
+- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed.
+- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed.
+- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released.
+- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released.
+- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed.
+- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed.
+- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on.
+- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
+- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
+- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file.
+- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid.
+- **StaleBootStatData** Identifies if the data from bootstat is stale.
+- **TransitionInfoBootId** BootId of the captured transition info.
+- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode.
+- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode.
+- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode.
+- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode.
+- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp,
+- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved.
+- **TransitionInfoLidState** Describes the state of the laptop lid.
+- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed.
+- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode.
+- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode.
+- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running.
+- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed.
+- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed.
+- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition.
+- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint.
+- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational.
+- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host.
+
+
+### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
+
+This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise.
+- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise.
+- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise.
+- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise.
+- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
+- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
+- **CanReportScenarios** True if we can report scenario completions, false otherwise.
+- **PreviousPermissions** Bitmask of previous telemetry state.
+- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
+
+
+### TelClientSynthetic.AuthorizationInfo_Startup
+
+This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise.
+- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise.
+- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise.
+- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise.
+- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
+- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
+- **CanReportScenarios** True if we can report scenario completions, false otherwise.
+- **PreviousPermissions** Bitmask of previous telemetry state.
+- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
+
+
+### TelClientSynthetic.ConnectivityHeartBeat_0
+
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. This event is fired by UTC during periods of no network as a heartbeat signal, to keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CensusExitCode** Last exit code of the Census task.
+- **CensusStartTime** Time of last Census run.
+- **CensusTaskEnabled** True if Census is enabled, false otherwise.
+- **LastConnectivityLossTime** Retrieves the last time the device lost free network.
+- **NetworkState** The network state of the device.
+- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds.
+- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds.
+
+
+### TelClientSynthetic.HeartBeat_5
+
+This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+
+The following fields are available:
+
+- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel.
+- **CensusExitCode** The last exit code of the Census task.
+- **CensusStartTime** Time of last Census run.
+- **CensusTaskEnabled** True if Census is enabled, false otherwise.
+- **CompressedBytesUploaded** Number of compressed bytes uploaded.
+- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client.
+- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer.
+- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
+- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB.
+- **DbCriticalDroppedCount** Total number of dropped critical events in event DB.
+- **DbDroppedCount** Number of events dropped due to DB fullness.
+- **DbDroppedFailureCount** Number of events dropped due to DB failures.
+- **DbDroppedFullCount** Number of events dropped due to DB fullness.
+- **DecodingDroppedCount** Number of events dropped due to decoding failures.
+- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated.
+- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session.
+- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client.
+- **EventsPersistedCount** Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC.
+- **EventStoreResetCounter** Number of times event DB was reset.
+- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance.
+- **EventsUploaded** Number of events uploaded.
+- **Flags** Flags indicating device state such as network state, battery state, and opt-in state.
+- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full.
+- **HeartBeatSequenceNumber** The sequence number of this heartbeat.
+- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex.
+- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel.
+- **LastEventSizeOffender** Event name of last event which exceeded max event size.
+- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
+- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC.
+- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events).
+- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags.
+- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer.
+- **SettingsHttpAttempts** Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers.
+- **TopUploaderErrors** List of top errors received from the upload endpoint.
+- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client.
+- **UploaderErrorCount** Number of errors received from the upload endpoint.
+- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
+- **VortexHttpAttempts** Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
+
+
## DISM events
### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU
-The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot.
+The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
- **dismInstalledLCUPackageName** The name of the latest installed package.
-### Microsoft.Windows.StartRepairCore.DISMUninstallLCU
+### Microsoft.Windows.StartRepairCore.DISMPendingInstall
-The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU.
+The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **dismPendingInstallPackageName** The name of the pending package.
+
+
+### Microsoft.Windows.StartRepairCore.DISMRevertPendingActions
+
+The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
- **errorCode** The result code returned by the event.
+### Microsoft.Windows.StartRepairCore.DISMUninstallLCU
+
+The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionEnd
+
+The SRT Repair Action End event sends information to report repair operation ended for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+- **failedUninstallCount** The number of driver updates that failed to uninstall.
+- **failedUninstallFlightIds** The Flight IDs (identifiers of beta releases) of driver updates that failed to uninstall.
+- **foundDriverUpdateCount** The number of found driver updates.
+- **srtRepairAction** The scenario name for a repair.
+- **successfulUninstallCount** The number of successfully uninstalled driver updates.
+- **successfulUninstallFlightIds** The Flight IDs (identifiers of beta releases) of successfully uninstalled driver updates.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionStart
+
+The SRT Repair Action Start event sends information to report repair operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **srtRepairAction** The scenario name for a repair.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd
+
+The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+- **flightIds** The Flight IDs (identifier of the beta release) of found driver updates.
+- **foundDriverUpdateCount** The number of found driver updates.
+- **srtRootCauseDiag** The scenario name for a diagnosis event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart
+
+The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **srtRootCauseDiag** The scenario name for a diagnosis event.
+
+
## Driver installation events
### Microsoft.Windows.DriverInstall.DeviceInstall
-This critical event sends information about the driver installation that took place.
+This critical event sends information about the driver installation that took place. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -441,6 +2614,7 @@ The following fields are available:
- **InstallDate** The date the driver was installed.
- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description.
- **LastInstallFunction** The last install function invoked in a co-installer if the install timeout was reached while a co-installer was executing.
+- **LegacyInstallReasonError** The error code for the legacy installation.
- **LowerFilters** The list of lower filter drivers.
- **MatchingDeviceId** The hardware ID or compatible ID that Windows used to install the device instance.
- **NeedReboot** Indicates whether the driver requires a reboot.
@@ -459,6 +2633,95 @@ The following fields are available:
- **UpperFilters** The list of upper filter drivers.
+### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
+
+This event sends data about the driver installation once it is completed. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **DriverUpdated** Indicates whether the driver was updated.
+- **Error** The Win32 error code of the installation.
+- **FlightId** The ID of the Windows Insider build the device received.
+- **InstallDate** The date the driver was installed.
+- **InstallFlags** The driver installation flags.
+- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.)
+- **RebootRequired** Indicates whether a reboot is required after the installation.
+- **RollbackPossible** Indicates whether this driver can be rolled back.
+- **WuTargetedHardwareId** Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update.
+- **WuUntargetedHardwareId** Indicates that the driver was installed because Windows Update performed a generic driver update for all devices of that hardware class.
+
+
+### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart
+
+This event sends data about the driver that the new driver installation is replacing. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **FirstInstallDate** The first time a driver was installed on this device.
+- **LastDriverDate** Date of the driver that is being replaced.
+- **LastDriverInbox** Indicates whether the previous driver was included with Windows.
+- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced.
+- **LastDriverVersion** The version of the driver that is being replaced.
+- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT).
+- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT).
+- **LastFirmwareVersion** The last firmware version reported from the EFI System Resource Table (ESRT).
+- **LastInstallDate** The date a driver was last installed on this device.
+- **LastMatchingDeviceId** The hardware ID or compatible ID that Windows last used to install the device instance.
+- **LastProblem** The previous problem code that was set on the device.
+- **LastProblemStatus** The previous problem code that was set on the device.
+- **LastSubmissionId** The driver submission identifier of the driver that is being replaced.
+
+
+## DXDiag events
+
+### Microsoft.Windows.DxDiag.DxDiagExeStopEvent
+
+This event collects information when the DirectX diagnostics provider stops. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **hResult** Numeric value indicating the result of the operation.
+
+
+### Microsoft.Windows.DxDiag.DxDiagProviderErrorStatistics
+
+This event provides statistics of major error(s) occurred during data collection, when data has not been properly collected in some queries. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **AudioFailed** Number of failed queries.
+- **AudioHr** Error code for the last failed query.
+- **AudioTotal** Total number of queries for audio devices.
+- **GpuFailed** Number of failed queries.
+- **GpuHr** Error code for the last failed query.
+- **GpuTotal** Total number of queries for GPUs.
+- **IsDesktop** Desktop vs WCOS SKU.
+- **VideoCaptureFailed** Number of failed queries.
+- **VideoCaptureHr** Error code for the last failed query.
+- **VideoCaptureTotal** Total number of queries for video capture devices.
+
+
+### Microsoft.Windows.DxDiag.DxDiagProviderMinorErrors
+
+This event collects information when recoverable errors were encountered. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DisplayInfo** A mask with errors occurred during collection GPU information.
+- **SystemInfo** A mask with errors occurred during system information collection.
+
+
+### Microsoft.Windows.DxDiag.DxDiagProviderStart
+
+This event collects information when the DirectX diagnostics provider starts. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **IsISV** Boolean value indicating that the provider is being used by a non-Microsoft application.
+
+
## DxgKernelTelemetry events
### DxgKrnlTelemetry.GPUAdapterInventoryV2
@@ -475,10 +2738,12 @@ The following fields are available:
- **DDIInterfaceVersion** The device driver interface version.
- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
+- **Display1UMDFilePath** The file path to the location of the Display User Mode Driver in the Driver Store.
- **DisplayAdapterLuid** The display adapter LUID.
- **DriverDate** The date of the display driver.
- **DriverRank** The rank of the display driver.
- **DriverVersion** The display driver version.
+- **DriverWorkarounds** Numeric value indicating the driver workarounds that are enabled for this device.
- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
@@ -487,6 +2752,7 @@ The following fields are available:
- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload.
- **GPURevisionID** The GPU revision ID.
- **GPUVendorID** The GPU vendor ID.
+- **IddPairedRenderAdapterLuid** Identifier for the render adapter paired with this display adapter.
- **InterfaceFuncPointersProvided1** Number of device driver interface function pointers provided.
- **InterfaceFuncPointersProvided2** Number of device driver interface function pointers provided.
- **InterfaceId** The GPU interface ID.
@@ -506,6 +2772,7 @@ The following fields are available:
- **IsSoftwareDevice** Is this a software implementation of the GPU?
- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store.
- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **NumNonVidPnTargets** Number of display targets.
- **NumVidPnSources** The number of supported display output sources.
- **NumVidPnTargets** The number of supported display output targets.
- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
@@ -517,19 +2784,148 @@ The following fields are available:
- **WDDMVersion** The Windows Display Driver Model version.
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+
+The following fields are available:
+
+- **AppName** The name of the app that has crashed.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppTimeStamp** The date/time stamp of the app.
+- **AppVersion** The version of the app that has crashed.
+- **ExceptionCode** The exception code returned by the process that has crashed.
+- **ExceptionOffset** The address where the exception had occurred.
+- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
+- **IsFatal** True/False to indicate whether the crash resulted in process termination.
+- **ModName** Exception module name (e.g. bar.dll).
+- **ModTimeStamp** The date/time stamp of the module.
+- **ModVersion** The version of the module that has crashed.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has crashed.
+- **ProcessId** The ID of the process that has crashed.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported
+- **TargetAsId** The sequence number for the hanging process.
+
+
## Feature update events
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
+
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **failureReason** Provides data about the uninstall initialization operation failure.
+- **hr** Provides the Win32 error code for the operation failure.
+
+
### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
-This event indicates that the uninstall was properly configured and that a system reboot was initiated.
+This event indicates that the uninstall was properly configured and that a system reboot was initiated. The data collected with this event is used to help keep Windows up to date and performing properly.
+## Feedback events
+
+### Microsoft.Windows.Fundamentals.UserInitiatedFeedback.SimilarFeedbackSelection
+
+This event measures the usage for Similar Feedback section in Feedback Hub. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **ActivityDuration** Time it tool to make a selection.
+- **HasDuplicateData** Indicates if duplicate data is available.
+- **HasWorkItem** Indicates if a work item is associated.
+- **IsCollection** Indicates if selection is collection.
+- **IsNewFeedback** Indicates if selection is new feedback.
+- **LetTeamTriage** Indicates if selection is for triage.
+- **MakeBug** Indicates if selection is to create a bug.
+- **MakeDuplicate** Indicates if selection is to create a duplicate bug.
+- **ResultsFounds** Total results shown.
+- **SearchExperiment** Experiment ID used.
+- **SelectedPosition** Position of the selection.
+- **SelectedScore** Search score of selection.
+- **ServiceCallDuration** Time for service results.
+- **Source** Method used to get results.
+
+
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName** The name of the app that has hung.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion** The version of the app that has hung.
+- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has hung.
+- **ProcessId** The ID of the process that has hung.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported.
+- **TargetAsId** The sequence number for the hanging process.
+- **TypeCode** Bitmap describing the hang type.
+- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
+
+
## Holographic events
+### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceAdded
+
+This event indicates Windows Mixed Reality device state. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **ClassGuid** Windows Mixed Reality device class GUID.
+- **DeviceInterfaceId** Windows Mixed Reality device interface ID.
+- **DriverVersion** Windows Mixed Reality device driver version.
+- **FirmwareVersion** Windows Mixed Reality firmware version.
+- **Manufacturer** Windows Mixed Reality device manufacturer.
+- **ModelName** Windows Mixed Reality device model name.
+- **SerialNumber** Windows Mixed Reality device serial number.
+
+
+### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceRemoved
+
+This event indicates Windows Mixed Reality device state. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly.
+
+The following fields are available:
+
+- **DeviceInterfaceId** Device Interface ID.
+
+
+### Microsoft.Windows.Holographic.Coordinator.HoloShellStateUpdated
+
+This event indicates Windows Mixed Reality HoloShell State. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **HmdState** Windows Mixed Reality Headset HMD state.
+- **NewHoloShellState** Windows Mixed Reality HoloShell state.
+- **PriorHoloShellState** Windows Mixed Reality state prior to entering to HoloShell.
+- **SimulationEnabled** Windows Mixed Reality Simulation state.
+
+
### Microsoft.Windows.Shell.HolographicFirstRun.AppActivated
-This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device.
+This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -539,49 +2935,92 @@ The following fields are available:
- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state.
- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. See [wilActivity](#wilactivity).
-### wilActivity
-
-This event provides a Windows Internal Library context used for Product and Service diagnostics.
-
-The following fields are available:
-
-- **callContext** The function where the failure occurred.
-- **currentContextId** The ID of the current call context where the failure occurred.
-- **currentContextMessage** The message of the current call context where the failure occurred.
-- **currentContextName** The name of the current call context where the failure occurred.
-- **failureCount** The number of failures for this failure ID.
-- **failureId** The ID of the failure that occurred.
-- **failureType** The type of the failure that occurred.
-- **fileName** The file name where the failure occurred.
-- **function** The function where the failure occurred.
-- **hresult** The HResult of the overall activity.
-- **lineNumber** The line number where the failure occurred.
-- **message** The message of the failure that occurred.
-- **module** The module where the failure occurred.
-- **originatingContextId** The ID of the originating call context that resulted in the failure.
-- **originatingContextMessage** The message of the originating call context that resulted in the failure.
-- **originatingContextName** The name of the originating call context that resulted in the failure.
-- **threadId** The ID of the thread on which the activity is executing.
-
### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming
-This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device.
+This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+
+
+### Microsoft.Windows.Shell.HolographicFirstRun.SomethingWentWrong
+
+This event is emitted when something went wrong error occurs. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly.
+
+The following fields are available:
+
+- **ErrorSource** Source of error, obsoleted always 0.
+- **StartupContext** Start up state.
+- **StatusCode** Error status code.
+- **SubstatusCode** Error sub status code.
+
+
+### TraceLoggingHoloLensSensorsProvider.OnDeviceAdd
+
+This event provides Windows Mixed Reality device state with new process that hosts the driver. The data collected with this event is used to keep Windows and Windows Mixed Reality performing properly.
+
+The following fields are available:
+
+- **Process** Process ID.
+- **Thread** Thread ID.
+
+
+### TraceLoggingOasisUsbHostApiProvider.DeviceInformation
+
+This event provides Windows Mixed Reality device information. This event is also used to count WMR device and device type. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BootloaderMajorVer** Windows Mixed Reality device boot loader major version.
+- **BootloaderMinorVer** Windows Mixed Reality device boot loader minor version.
+- **BootloaderRevisionNumber** Windows Mixed Reality device boot loader revision number.
+- **BTHFWMajorVer** Windows Mixed Reality device BTHFW major version. This event also used to count WMR device.
+- **BTHFWMinorVer** Windows Mixed Reality device BTHFW minor version. This event also used to count WMR device.
+- **BTHFWRevisionNumber** Windows Mixed Reality device BTHFW revision number.
+- **CalibrationBlobSize** Windows Mixed Reality device calibration blob size.
+- **CalibrationFwMajorVer** Windows Mixed Reality device calibration firmware major version.
+- **CalibrationFwMinorVer** Windows Mixed Reality device calibration firmware minor version.
+- **CalibrationFwRevNum** Windows Mixed Reality device calibration firmware revision number.
+- **DeviceInfoFlags** Windows Mixed Reality device info flags.
+- **DeviceName** Windows Mixed Reality device Name. This event is also used to count WMR device.
+- **DeviceReleaseNumber** Windows Mixed Reality device release number.
+- **FirmwareMajorVer** Windows Mixed Reality device firmware major version.
+- **FirmwareMinorVer** Windows Mixed Reality device firmware minor version.
+- **FirmwareRevisionNumber** Windows Mixed Reality device calibration firmware revision number.
+- **FpgaFwMajorVer** Windows Mixed Reality device FPGA firmware major version.
+- **FpgaFwMinorVer** Windows Mixed Reality device FPGA firmware minor version.
+- **FpgaFwRevisionNumber** Windows Mixed Reality device FPGA firmware revision number.
+- **FriendlyName** Windows Mixed Reality device friendly name.
+- **HashedSerialNumber** Windows Mixed Reality device hashed serial number.
+- **HeaderSize** Windows Mixed Reality device header size.
+- **HeaderVersion** Windows Mixed Reality device header version.
+- **LicenseKey** Windows Mixed Reality device header license key.
+- **Make** Windows Mixed Reality device make.
+- **ManufacturingDate** Windows Mixed Reality device manufacturing date.
+- **Model** Windows Mixed Reality device model.
+- **PresenceSensorHidVendorPage** Windows Mixed Reality device presence sensor HID vendor page.
+- **PresenceSensorHidVendorUsage** Windows Mixed Reality device presence sensor HID vendor usage.
+- **PresenceSensorUsbVid** Windows Mixed Reality device presence sensor USB VId.
+- **ProductBoardRevision** Windows Mixed Reality device product board revision number.
+- **SerialNumber** Windows Mixed Reality device serial number.
## Inventory events
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
- **Device** A count of device objects in cache.
+- **DeviceCensus** A count of device census objects in cache.
- **DriverPackageExtended** A count of driverpackageextended objects in cache.
- **File** A count of file objects in cache.
+- **FileSigningInfo** A count of file signing objects in cache.
- **Generic** A count of generic objects in cache.
+- **HwItem** A count of hwitem objects in cache.
- **InventoryApplication** A count of application objects in cache.
+- **InventoryApplicationAppV** A count of application AppV objects in cache.
- **InventoryApplicationDriver** A count of application driver objects in cache
- **InventoryApplicationFile** A count of application file objects in cache.
- **InventoryApplicationFramework** A count of application framework objects in cache
@@ -604,12 +3043,76 @@ The following fields are available:
- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache
- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache
- **Metadata** A count of metadata objects in cache.
+- **Orphan** A count of orphan file objects in cache.
- **Programs** A count of program objects in cache.
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
+
+This event sends inventory component versions for the Device Inventory data. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **aeinv** The version of the App inventory component.
+- **devinv** The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
+- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
+- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Language** The language code of the program.
+- **MsiInstallDate** The install date recorded in the program's MSI package.
+- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode** A GUID that describe the MSI Product.
+- **Name** The name of the application.
+- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
+- **PackageFullName** The package full name for a Store application.
+- **ProgramInstanceId** A hash of the file IDs in an app.
+- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath** The path to the root directory where the program was installed.
+- **Source** How the program was installed (for example, ARP, MSI, Appx).
+- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Version** The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents what drivers an application installs. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component
+- **ProgramIds** The unique program identifier the driver is associated with
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component.
+
+
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
-This event provides the basic metadata about the frameworks an application may depend on.
+This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -620,9 +3123,42 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device). The data collected with this event is used to help keep Windows up to date and to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -631,6 +3167,7 @@ The following fields are available:
- **Categories** A comma separated list of functional categories in which the container belongs.
- **DiscoveryMethod** The discovery method for the device container.
- **FriendlyName** The name of the device container.
+- **InventoryVersion** The version of the inventory file generating the events.
- **IsActive** Is the device connected, or has it been seen in the last 14 days?
- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
- **IsMachineContainer** Is the container the root device itself?
@@ -643,9 +3180,249 @@ The following fields are available:
- **PrimaryCategory** The primary category for the device container.
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection** Indicates if an Activity Detection sensor is found.
+- **AmbientLight** Indicates if an Ambient Light sensor is found.
+- **Barometer** Indicates if a Barometer sensor is found.
+- **Custom** Indicates if a Custom sensor is found.
+- **EnergyMeter** Indicates if an Energy sensor is found.
+- **FloorElevation** Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector** Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
+- **Humidity** Indicates if a Humidity sensor is found.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
+- **Orientation** Indicates if an Orientation sensor is found.
+- **Pedometer** Indicates if a Pedometer sensor is found.
+- **Proximity** Indicates if a Proximity sensor is found.
+- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
+- **Temperature** Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Audio.CaptureDriver** The capture driver endpoint for the audio device.
+- **Audio.RenderDriver** The render driver for the audio device.
+- **Audio_CaptureDriver** The Audio device capture driver endpoint.
+- **Audio_RenderDriver** The Audio device render driver endpoint.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClass object represented by the objectInstanceId is no longer present. This event is used to understand a PNP device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **BusReportedDescription** The description of the device reported by the bux.
+- **Class** The device setup class of the driver loaded for the device.
+- **ClassGuid** The device class GUID from the driver package
+- **COMPID** The device setup class guid of the driver loaded for the device.
+- **ContainerId** The list of compat ids for the device.
+- **Description** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **DeviceDriverFlightId** The test build (Flight) identifier of the device driver.
+- **DeviceExtDriversFlightIds** The test build (Flight) identifier for all extended device drivers.
+- **DeviceInterfaceClasses** The device interfaces that this device implements.
+- **DeviceState** The device description.
+- **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
+- **DriverName** A unique identifier for the driver installed.
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage
+- **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **Enumerator** The date of the driver loaded for the device.
+- **ExtendedInfs** The extended INF file names.
+- **FirstInstallDate** The first time this device was installed on the machine.
+- **HWID** The version of the driver loaded for the device.
+- **Inf** The bus that enumerated the device.
+- **InstallDate** The date of the most recent installation of the device on the machine.
+- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
+- **InventoryVersion** List of hardware ids for the device.
+- **LowerClassFilters** Lower filter class drivers IDs installed for the device
+- **LowerFilters** Lower filter drivers IDs installed for the device
+- **Manufacturer** INF file name (the name could be renamed by OS, such as oemXX.inf)
+- **MatchingID** Device installation state.
+- **Model** The version of the inventory binary generating the events.
+- **ParentId** Lower filter class drivers IDs installed for the device.
+- **ProblemCode** Lower filter drivers IDs installed for the device.
+- **Provider** The device manufacturer.
+- **Service** The device service name
+- **STACKID** Represents the hardware ID or compatible ID that Windows uses to install a device instance.
+- **UpperClassFilters** Upper filter drivers IDs installed for the device
+- **UpperFilters** The device model.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
+
+This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+- **TotalUserConnectablePorts** Total number of connectable USB ports.
+- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event sends basic metadata about driver binaries running on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **DriverCheckSum** The checksum of the driver file.
+- **DriverCompany** The company name that developed the driver.
+- **DriverInBox** Is the driver included with the operating system?
+- **DriverIsKernelMode** Is it a kernel mode driver?
+- **DriverName** The file name of the driver.
+- **DriverPackageStrongName** The strong name of the driver package
+- **DriverSigned** The strong name of the driver package
+- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file.
+- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverVersion** The version of the driver file.
+- **ImageSize** The size of the driver file.
+- **Inf** The name of the INF file.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Product** The product name that is included in the driver file.
+- **ProductVersion** The product version that is included in the driver file.
+- **Service** The name of the service that is installed for the device.
+- **WdfVersion** The Windows Driver Framework version.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
+This event sends basic metadata about drive packages installed on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -665,6 +3442,40 @@ The following fields are available:
- **Version** The version of the driver package.
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
+
+This event sends details collected for a specific application on the source device. The data collected with this event is used to keep Windows performing properly.
+
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
+
+This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly.
+
+
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd
This event provides basic information about active memory slots on the device.
@@ -682,14 +3493,78 @@ The following fields are available:
- **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3.
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
-Provides data on the Office identifiers.
+This diagnostic event indicates a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
+
+This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
+- **AddinCLSID** The class identifier key for the Microsoft Office add-in.
+- **AddInCLSID** The class identifier key for the Microsoft Office add-in.
+- **AddInId** The identifier for the Microsoft Office add-in.
+- **AddinType** The type of the Microsoft Office add-in.
+- **BinFileTimestamp** The timestamp of the Office add-in.
+- **BinFileVersion** The version of the Microsoft Office add-in.
+- **Description** Description of the Microsoft Office add-in.
+- **FileId** The file identifier of the Microsoft Office add-in.
+- **FileSize** The file size of the Microsoft Office add-in.
+- **FriendlyName** The friendly name for the Microsoft Office add-in.
+- **FullPath** The full path to the Microsoft Office add-in.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **LoadBehavior** Integer that describes the load behavior.
+- **LoadTime** Load time for the Office add-in.
+- **OfficeApplication** The Microsoft Office application associated with the add-in.
+- **OfficeArchitecture** The architecture of the add-in.
+- **OfficeVersion** The Microsoft Office version for this add-in.
+- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in.
+- **ProductCompany** The name of the company associated with the Office add-in.
+- **ProductName** The product name associated with the Microsoft Office add-in.
+- **ProductVersion** The version associated with the Office add-in.
+- **ProgramId** The unique program identifier of the Microsoft Office add-in.
+- **Provider** Name of the provider for this add-in.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device
- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
- **OMID** Identifier for the Office SQM Machine
@@ -699,28 +3574,368 @@ The following fields are available:
- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-Describes Office Products installed.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
+
+This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature.
+- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
+- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
+- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
+- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts
+- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords
+- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control
+- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted
+- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC)
+- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL
+- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior
+- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows
+- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
+
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
+
+This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **OfficeApplication** The name of the Office application.
+- **OfficeArchitecture** The bitness of the Office application.
+- **OfficeVersion** The version of the Office application.
+- **Value** The insights collected about this entity.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
+
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+
+This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
- **OC2rApps** A GUID the describes the Office Click-To-Run apps
- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus
- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word
- **OProductCodes** A GUID that describes the Office MSI products
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
+
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
+
+This event describes various Office settings. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **BrowserFlags** Browser flags for Office-related products.
+- **ExchangeProviderFlags** Provider policies for Office Exchange.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **SharedComputerLicensing** Office shared computer licensing policies.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
+
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
+
+This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Design** Count of files with design issues found.
+- **Design_x64** Count of files with 64 bit design issues found.
+- **DuplicateVBA** Count of files with duplicate VBA code.
+- **HasVBA** Count of files with VBA code.
+- **Inaccessible** Count of files that were inaccessible for scanning.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **Issues** Count of files with issues detected.
+- **Issues_x64** Count of files with 64-bit issues detected.
+- **IssuesNone** Count of files with no issues detected.
+- **IssuesNone_x64** Count of files with no 64-bit issues detected.
+- **Locked** Count of files that were locked, preventing scanning.
+- **NoVBA** Count of files with no VBA inside.
+- **Protected** Count of files that were password protected, preventing scanning.
+- **RemLimited** Count of files that require limited remediation changes.
+- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues.
+- **RemSignificant** Count of files that require significant remediation changes.
+- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues.
+- **Score** Overall compatibility score calculated for scanned content.
+- **Score_x64** Overall 64-bit compatibility score calculated for scanned content.
+- **Total** Total number of files scanned.
+- **Validation** Count of files that require additional manual validation.
+- **Validation_x64** Count of files that require additional manual validation for 64-bit issues.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Count** Count of total Microsoft Office VBA rule violations
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
+
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
+
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
+
+This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Identifier** UUP identifier
+- **LastActivatedVersion** Last activated version
+- **PreviousVersion** Previous version
+- **Source** UUP source
+- **Version** UUP version
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
+
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Inventory.Indicators.Checksum
-This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
- **CensusId** A unique hardware identifier.
- **ChecksumDictionary** A count of each operating system indicator.
+- **PCFP** Equivalent to the InventoryId field that is found in other core events.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
+
+This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **IndicatorValue** The indicator value.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+## Kernel events
+
+### Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig
+
+This critical device configuration event provides information about drivers for a driver installation that took place within the kernel. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **ClassGuid** The unique ID for the device class.
+- **DeviceInstanceId** The unique ID for the device on the system.
+- **DriverDate** The date of the driver.
+- **DriverFlightIds** The IDs for the driver flights.
+- **DriverInfName** Driver INF file name.
+- **DriverProvider** The driver manufacturer or provider.
+- **DriverSubmissionId** The driver submission ID assigned by the hardware developer center.
+- **DriverVersion** The driver version number.
+- **ExtensionDrivers** The list of extension driver INF files, extension IDs, and associated flight IDs.
+- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description.
+- **InboxDriver** Indicates whether the driver package is included with Windows.
+- **InstallDate** Date the driver was installed.
+- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description.
+- **Legacy** Indicates whether the driver is a legacy driver.
+- **NeedReboot** Indicates whether the driver requires a reboot.
+- **RebootRequiredReason** Provides the reason why a reboot is required.
+- **SetupMode** Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE).
+- **StatusCode** The NTSTATUS of device configuration operation.
+
+
+### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem
+
+This event is sent when a problem code is cleared from a device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Count** The total number of events.
+- **DeviceInstanceId** The unique identifier of the device on the system.
+- **LastProblem** The previous problem that was cleared.
+- **LastProblemStatus** The previous NTSTATUS value that was cleared.
+- **ServiceName** The name of the driver or service attached to the device.
+
+
+### Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem
+
+This event is sent when a new problem code is assigned to a device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Count** The total number of events.
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **LastProblem** The previous problem code that was set on the device.
+- **LastProblemStatus** The previous NTSTATUS value that was set on the device.
+- **Problem** The new problem code that was set on the device.
+- **ProblemStatus** The new NTSTATUS value that was set on the device.
+- **ServiceName** The driver or service name that is attached to the device.
+
+
+### Microsoft.Windows.Kernel.Power.PreviousShutdownWasThermalShutdown
+
+This event sends Product and Service Performance data on which area of the device exceeded safe temperature limits and caused the device to shutdown. This information is used to ensure devices are behaving as they are expected to. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **temperature** Contains the actual temperature measurement, in tenths of degrees Kelvin, for the area that exceeded the limit.
+- **thermalZone** Contains an identifier that specifies which area it was that exceeded temperature limits.
+
+
+### Microsoft.Windows.Kernel.Power.WinloadFatalError
+
+This event provides Winload fatal error information. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **errorBootId** The first boot sequence this error code was encountered since the last successful boot.
+- **errorCode** The code from OslFatalErrorEx.
+- **errorStatus** The status from OslFatalErrorEx.
+- **otherErrorCount** The number of times other error codes have been encountered on subsequent boot attempts.
+- **repeatCount** The number of times this error code has been repeated on subsequent boot attempts.
## Microsoft Edge events
@@ -758,6 +3973,7 @@ This config event sends basic device connectivity and configuration information
The following fields are available:
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
- **Channel** An integer indicating the channel of the installation (Canary or Dev).
@@ -783,6 +3999,7 @@ This config event sends basic device connectivity and configuration information
The following fields are available:
+- **app_env** The environment from which the event was logged when testing; otherwise, the field is omitted or left blank.
- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
@@ -832,7 +4049,7 @@ The following fields are available:
### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
-The Ping event sends a detailed inventory of software and hardware information about the EdgeUpdate user's version, app usage, update usage, and hardware capabilities. This event contains Device Connectivity and Configuration, Product and Service Performance, Product and Service Usage, and Software Setup and Inventory data. One roll-up event is sent each time any installation, update, or uninstallation process, including an error, occurs in the EdgeUpdate service. Each Ping event can contain an arbitrary number of apps which have been modified, and each of these apps in turn can fire multiple event types. This event is used to measure the reliability, performance, and usage of the EdgeUpdate service.
+This Ping event sends a detailed inventory of software and hardware information about the EdgeUpdate service, Edge applications, and the current system environment including app configuration, update configuration, and hardware capabilities. This event contains Device Connectivity and Configuration, Product and Service Performance, and Software Setup and Inventory data. One or more events is sent each time any installation, update, or uninstallation occurs with the EdgeUpdate service or with Edge applications. This event is used to measure the reliability and performance of the EdgeUpdate service and if Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date.
The following fields are available:
@@ -851,11 +4068,15 @@ The following fields are available:
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'.
+- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
@@ -870,6 +4091,7 @@ The following fields are available:
- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'.
- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
@@ -893,6 +4115,7 @@ The following fields are available:
- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'.
- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients must always transmit this attribute. Default: undefined.
- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''.
+- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''.
- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
@@ -927,7 +4150,7 @@ The following fields are available:
### Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
-This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date
+This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date.
The following fields are available:
@@ -997,6 +4220,43 @@ The following fields are available:
- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
+## Migration events
+
+### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+The following fields are available:
+
+- **currentSid** Indicates the user SID for which the migration is being performed.
+- **knownFoldersUsr[i]** Predefined folder path locations.
+- **migDiagSession->CString** The phase of the upgrade where migration occurs. (E.g.: Validate tracked content)
+- **objectCount** The count for the number of objects that are being transferred.
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFSys
+
+This event returns data about the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+The following fields are available:
+
+- **knownFoldersSys[i]** The predefined folder path locations.
+- **migDiagSession->CString** Identifies the phase of the upgrade where migration happens.
+- **objectCount** The count of the number of objects that are being transferred.
+
+
+### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+The following fields are available:
+
+- **currentSid** Indicates the user SID for which the migration is being performed.
+- **knownFoldersUsr[i]** Predefined folder path locations.
+- **migDiagSession->CString** The phase of the upgrade where the migration occurs. (For example, Validate tracked content.)
+- **objectCount** The number of objects that are being transferred.
+
+
## MUI events
### MuiResourceLoaderTraceLogging.MapAndVerifyResourceFileFailure
@@ -1023,16 +4283,153 @@ The following fields are available:
- **ResourceFileName** DLL path and name which has a failing service checksum.
-### NetworkTelemetry.AccessPointData
+## OneDrive events
-This event describes the wireless access point to which the Xbox is connected. Collected when a wireless network is joined.
+### Microsoft.OneDrive.Sync.Setup.APIOperation
+
+This event includes basic data about install and uninstall OneDrive API operations. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **Duration** How long the operation took.
+- **IsSuccess** Was the operation successful?
+- **ResultCode** The result code.
+- **ScenarioName** The name of the scenario.
+### Microsoft.OneDrive.Sync.Setup.EndExperience
-### NetworkTelemetry.FlightControllerInitialize
+This event includes a success or failure summary of the installation. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
-This event is logged when the flight controller attempts to write the hosts file.
+The following fields are available:
+- **APIName** The name of the API.
+- **HResult** HResult of the operation
+- **IsSuccess** Whether the operation is successful or not
+- **ScenarioName** The name of the scenario.
+
+
+### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
+
+This event includes basic data about the installation state of dependent OneDrive components. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **ComponentName** The name of the dependent component.
+- **isInstalled** Is the dependent component installed?
+
+
+### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
+
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system.
+- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
+
+This event sends information describing the result of the update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+- **IsLoggingEnabled** Indicates whether logging is enabled for the updater.
+- **UpdaterVersion** The version of the updater.
+
+
+### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
+
+This event determines the error code that was returned when verifying Internet connectivity. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **failedCheck** The error code returned by the operation.
+- **winInetError** The HResult of the operation.
+
+
+## ONNX runtime events
+
+### Microsoft.ML.ONNXRuntime.ProcessInfo
+
+This event collects information when an application loads ONNXRuntime.dll. The data collected with this event is used to keep Windows product and service performing properly.
+
+The following fields are available:
+
+- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end.
+- **isRedist** Indicates if the ONNXRuntime usage is from redistributable package or inbox.
+- **runtimeVersion** The version number of ONNXRuntime.
+- **schemaVersion** Blueprint version of how the database is constructed.
+
+
+### Microsoft.ML.ONNXRuntime.RuntimePerf
+
+This event collects information about ONNXRuntime performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **AppSessionGuid** An identifier of a particular application session starting at process creation time and persisting until process end.
+- **schemaVersion** Blueprint version of how the database is constructed.
+- **sessionId** Identifier for each created session.
+- **totalRunDuration** Total running/evaluation time from last time.
+- **totalRuns** Total number of running/evaluation from last time.
+
+
+## Windows Admin Center events
+
+### Microsoft.ServerManagementExperience.Gateway.Service.GatewayStatus
+
+A periodic event that describes Windows Admin Center gateway app's version and other inventory and configuration parameters.
+
+The following fields are available:
+
+- **activeNodesByNodeId** A count of how many active nodes are on this gateway, deduplicated by Node ID.
+- **activeNodesByUuid** A count of how many active nodes are on this gateway, deduplicated by UUID.
+- **AvailableMemoryMByte** A snapshot of the available physical memory on the OS.
+- **azureADAppRegistered** If the gateway is registered with an Azure Active Directory.
+- **azureADAuthEnabled** If the gateway has enabled authentication using Azure Active Directory.
+- **friendlyOsName** A user-friendly name describing the OS version.
+- **gatewayCpuUtilizationPercent** A snapshot of CPU usage on the OS.
+- **gatewayVersion** The version string for this currently running Gateway application.
+- **gatewayWorkingSetMByte** A snapshot of the working set size of the gateway process.
+- **installationType** Identifies if the gateway was installed as a VM extension.
+- **installedDate** The date on which this gateway was installed.
+- **logicalProcessorCount** A snapshot of the how many logical processors the machine running this gateway has.
+- **otherProperties** This is an empty string, but may be used for another purpose in the future.
+- **registeredNodesByNodeId** A count of how many nodes are registered with this gateway, deduplicated by Node ID.
+- **registeredNodesByUuid** A count of how many nodes are registered with this gateway, deduplicated by UUID..
+- **totalCpuUtilizationPercent** A snapshot of the total CPU utilization of the machine running this gateway.
+
+
+## Privacy consent logging events
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
+
+This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **presentationVersion** Which display version of the privacy consent experience the user completed
+- **privacyConsentState** The current state of the privacy consent experience
+- **settingsVersion** Which setting version of the privacy consent experience the user completed
+- **userOobeExitReason** The exit reason of the privacy consent experience
+
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus
+
+This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **isAdmin** whether the person who is logging in is an admin
+- **isExistingUser** whether the account existed in a downlevel OS
+- **isLaunching** Whether or not the privacy consent experience will be launched
+- **isSilentElevation** whether the user has most restrictive UAC controls
+- **privacyConsentState** whether the user has completed privacy experience
+- **userRegionCode** The current user's region setting
## Sediment events
@@ -1051,8 +4448,47 @@ The following fields are available:
- **Time** The system time at which the event occurred.
+### Microsoft.Windows.Sediment.OSRSS.Error
+
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **FailureType** The type of error encountered.
+- **FileName** The code file in which the error occurred.
+- **HResult** The failure error code.
+- **LineNumber** The line number in the code file at which the error occurred.
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+
+
## Setup events
+### Microsoft.Windows.Setup.WinSetupBoot.BootBlockStart
+
+This event emits the start of the windows setup boot routine during upgrade. This routine determines the state of the upgrade and handles properly moving the upgrade forward or rolling back the device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Action** It indicates phase/stage of operation.
+- **Detail** It indicates details about the phase/stage of the operation.
+- **Rollback** It is blank as this event triggers in success scenario only.
+- **Status** It indicates details about the status for getting the disk device object during boot.
+
+
+### Microsoft.Windows.Setup.WinSetupBoot.BootBlockStop
+
+This event emits the stop of the windows setup boot routine during upgrade. This routine determines the state of the upgrade and handles properly moving the upgrade forward or rolling back the device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Action** It indicates phase/stage of operation.
+- **Detail** It indicates details about the phase/stage of the operation.
+- **Rollback** It is blank as this event triggers in success scenario only.
+- **Status** It indicates details about the status for getting the disk device object during boot.
+
+
### SetupPlatformTel.SetupPlatformTelActivityEvent
This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
@@ -1061,14 +4497,370 @@ The following fields are available:
- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together.
- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time
+### SetupPlatformTel.SetupPlatformTelActivityStarted
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+The following fields are available:
+
+- **Name** The name of the dynamic update type. Example: GDR driver
+
+
+### SetupPlatformTel.SetupPlatformTelActivityStopped
+
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+
+
+
+### SetupPlatformTel.SetupPlatformTelEvent
+
+This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together.
+- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
+
+
## Software update events
+### SoftwareUpdateClientTelemetry.CheckForUpdates
+
+This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **BranchReadinessLevel** The servicing branch configured on the device.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ClientVersion** The version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0.
+- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates** Update IDs which are currently being deferred until a later time
+- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
+- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed** Were drivers scanned this time?
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
+- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError** The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
+- **PausedUpdates** A list of UpdateIds which that currently being paused.
+- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan the event was
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TargetReleaseVersion** The value selected for the target release version policy.
+- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
+- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Commit
+
+This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle
+- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
+- **ClassificationId** Classification identifier of the update content.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** The mode of operation of the update deployment provider.
+- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
+- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FlightId** The specific id of the flight the device is getting
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
+- **RevisionNumber** Identifies the revision number of this specific piece of content
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateId** Identifier associated with the specific piece of content
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActiveDownloadTime** Number of seconds the update was actively being downloaded.
+- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download.
+- **AppXScope** Indicates the scope of the app download.
+- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientVersion** The version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior.
+- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle.
+- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadProps** Information about the download operation properties in the form of a bitmask.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **FlightId** The specific ID of the flight (pre-release build) the device is getting.
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HostName** The hostname URL the content is downloading from.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content.
+- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
+- **PackageFullName** The package name of the content.
+- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background.
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific content has previously failed.
+- **RevisionNumber** The revision number of the specified piece of content.
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc).
+- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload.
+- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **UpdateId** An identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedDO** Whether the download used the delivery optimization service.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.DownloadCheckpoint
+
+This event provides a checkpoint between each of the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
+- **FileId** A hash that uniquely identifies a file
+- **FileName** Name of the downloaded file
+- **FlightId** The unique identifier for each flight
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RevisionNumber** Unique revision number of Update
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
+- **UpdateId** Unique Update ID
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### SoftwareUpdateClientTelemetry.DownloadHeartbeat
+
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **BytesTotal** Total bytes to transfer for this content
+- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat
+- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client
+- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat
+- **CurrentError** Last (transient) error encountered by the active download
+- **DownloadFlags** Flags indicating if power state is ignored
+- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing)
+- **EventType** Possible values are "Child", "Bundle", or "Driver"
+- **FlightId** The unique identifier for each flight
+- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered"
+- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
+- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
+- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
+- **ResumeCount** Number of times this active download has resumed from a suspended state
+- **RevisionNumber** Identifies the revision number of this specific piece of content
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
+- **SuspendCount** Number of times this active download has entered a suspended state
+- **SuspendReason** Last reason for why this active download entered a suspended state
+- **UpdateId** Identifier associated with the specific piece of content
+- **WUDeviceID** Unique device id controlled by the software distribution client
+
+
+### SoftwareUpdateClientTelemetry.Install
+
+This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** The version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0.
+- **CSIErrorType** The stage of CBS installation where it failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** The mode of operation of the update deployment provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update).
+- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether this update is a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart.
+- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation.
+- **MsiAction** The stage of MSI installation where it failed.
+- **MsiProductCode** The unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content being installed.
+- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailCount** Indicates whether this specific piece of content has previously failed.
+- **RevisionNumber** The revision number of this specific piece of content.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** The ID that represents a given MSI installation.
+- **UpdateId** Unique update ID.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Revert
+
+This is a revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClassificationId** Classification identifier of the update content.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation that failed.
+- **DeploymentMutexId** Mutex identifier of the deployment operation.
+- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation.
+- **DeploymentProviderMode** The mode of operation of the update deployment provider.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **EventType** Event type (Child, Bundle, Release, or Driver).
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of the flight.
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content has previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId** The identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.TaskRun
+
+This is a start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CmdLineArgs** Command line arguments passed in by the caller.
+- **EventInstanceID** A globally unique identifier for the event instance.
+- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **WUDeviceID** Unique device ID controlled by the software distribution client.
+
+
### SoftwareUpdateClientTelemetry.Uninstall
-Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded).
+This is an uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -1115,11 +4907,667 @@ The following fields are available:
- **WUDeviceID** Unique device ID controlled by the software distribution client.
+### SoftwareUpdateClientTelemetry.UpdateDetected
+
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.).
+- **WUDeviceID** The unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
+
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed.
+- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
+- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
+- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
+- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **RevisionId** The revision ID for a specific piece of content.
+- **RevisionNumber** The revision number for a specific piece of content.
+- **ServiceGuid** Identifies the service to which the software distribution client is connected. Example: Windows Update or Microsoft Store
+- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfTimestampToken** An encoded string of the timestamp token.
+- **SignatureAlgorithm** The hash algorithm for the metadata signature.
+- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **UpdateId** The update ID for a specific piece of content.
+- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
+
+
+## Surface events
+
+### Microsoft.Surface.Health.Binary.Prod.McuHealthLog
+
+This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly.
+
+The following fields are available:
+
+- **CUtility::GetTargetNameA(Target)** Sub component name.
+- **HealthLog** Health indicator log.
+- **healthLogSize** 4KB.
+- **productId** Identifier for product model.
+
+
+## Update Assistant events
+
+### Microsoft.Windows.QUALauncher.Applicable
+
+This event sends basic information when AQUA launches and checks for any self update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **DetectedCondition** Checks if device condition was met for running remediation.
+- **FileVersion** Current file version.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device.
+- **IsHashMismatch** Checks if the hash of the payload matches the one specified in OneSettings.
+- **IsSelfUpdateEnabledInOneSettings** Checks if self update is enabled.
+- **IsSelfUpdateNeeded** Checks if self update is needed. All the conditions are satisfied.
+- **PackageVersion** Current package version.
+- **PluginName** Plugin name.
+- **Result** Result.
+- **SelfUpdatePackageVersion** Version of the updated package installed.
+- **SelUpdatePackageVersion** Version of the new package.
+
+
+### Microsoft.Windows.QualityUpdateAssistant.Applicability
+
+This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **dayspendingrebootafterfu** Number of days that have elapsed since the device reached ready to reboot for a Feature Update that is still actively pending reboot.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device.
+- **KBNumber** KBNumber of the update being installed.
+- **PackageVersion** Current package version of quality update assistant.
+- **Reason** Provides information on reasons why the update is not applicable to the device.
+- **Result** Applicability check for quality update assistant.
+
+
+### Microsoft.Windows.RecommendedTroubleshootingService.MitigationFailed
+
+This event is raised after an executable delivered by Mitigation Service has run and failed. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. Failure data will also be used for root-cause investigation by feature teams, as signal to halt mitigation rollout and, possible follow-up action on specific devices still impacted by the problem because the mitigation failed (i.e. reoffer it to impacted devices). The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **activeProcesses** Number of active processes.
+- **atleastOneMitigationSucceeded** Bool flag indicating if at least one mitigation succeeded.
+- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service.
+- **countDownloadedPayload** Count instances of payload downloaded.
+- **description** Description of failure.
+- **devicePreference** Recommended Troubleshooting Setting on the device.
+- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe.
+- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab.
+- **executionHR** HR code of the execution of the mitigation.
+- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, eg when executing Critical troubleshooters, the executionPreference is set to the Silent option.
+- **exitCode** Exit code of the execution of the mitigation.
+- **experimentFeatureId** Experiment feature ID.
+- **experimentFeatureState** Config state of the experiment.
+- **hr** HRESULT for error code.
+- **isActiveSessionPresent** If an active user session is present on the device.
+- **isCriticalMitigationAvailable** If a critical mitigation is available to this device.
+- **isFilteringSuccessful** If the filtering operation was successful.
+- **isReApply** reApply status for the mitigation.
+- **mitigationId** ID value of the mitigation.
+- **mitigationProcessCycleTime** Process cycle time used by the mitigation.
+- **mitigationRequestWithCompressionFailed** Boolean flag indicating if HTTP request with compression failed for this device.
+- **mitigationServiceResultFetched** Boolean flag indicating if mitigation details were fetched from the admin service.
+- **mitigationVersion** String indicating version of the mitigation.
+- **oneSettingsMetadataParsed** If OneSettings metadata was parsed successfully.
+- **oneSettingsSchemaVersion** Schema version used by the OneSettings parser.
+- **onlyNoOptMitigationsPresent** Checks if all mitigations were no opt.
+- **parsedOneSettingsFile** Indicates if OneSettings parsing was successful.
+- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter.
+- **SessionId** Random GUID used for grouping events in a session.
+- **subType** Error type.
+- **totalKernelTime** Total kernel time used by the mitigation.
+- **totalNumberOfApplicableMitigations** Total number of applicable mitigations.
+- **totalProcesses** Total number of processes assigned to the job object.
+- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object.
+- **totalUserTime** Total user mode time used by the job object.
+
+
+### Microsoft.Windows.RecommendedTroubleshootingService.MitigationRejected
+
+This event is raised when a targeted mitigation is rejected by the device based on the device's preference, or if it has already been applied. This enables us to find out why an applicable mitigation was not executed by the device. Data from this event is used to measure the health of mitigations service stack used by engineers to solve in-market problems on internal, insider, and retail devices. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **description** String describing why a mitigation was rejected.
+- **mitigationId** GUID identifier for a mitigation.
+- **mitigationVersion** Version of the mitigation.
+- **SessionId** GUID identifier to link events to a single session/execution of the mitigation service.
+- **subType** Integer value describing the reason type of why a mitigation was rejected.
+
+
+### Microsoft.Windows.RecommendedTroubleshootingService.MitigationSucceeded
+
+This event is raised after an executable delivered by Mitigation Service has successfully run. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **activeProcesses** Number of active processes.
+- **contactTSServiceAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to get Troubleshooter metadata from the Troubleshooting cloud service.
+- **devicePreference** Recommended troubleshooting setting on the device.
+- **downloadBinaryAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download Troubleshooter Exe.
+- **downloadCabAttempts** Number of attempts made by TroubleshootingSvc in a single Scanner session to download PrivilegedActions Cab.
+- **executionPreference** Current Execution level Preference. This may not be same as devicePreference, for example, when executing Critical troubleshooters, the executionPreference is set to the Silent option.
+- **experimentFeatureId** Experiment feature ID.
+- **experimentFeatureState** Feature state for the experiment.
+- **mitigationId** ID value of the mitigation.
+- **mitigationProcessCycleTime** Process cycle time used by the mitigation.
+- **mitigationVersion** String indicating version of the mitigation.
+- **sessionAttempts** Number of Scanner sessions attempted so far by TroubleshootingSvc for this troubleshooter.
+- **SessionId** Random GUID used for grouping events in a session.
+- **totalKernelTime** Total kernel time used by the mitigation.
+- **totalProcesses** Total number of processes assigned to the job object.
+- **totalTerminatedProcesses** Total number of processes in terminated state assigned to the job object.
+- **totalUserTime** Total user mode time used by the job object.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteDetectionStarted
+
+This event indicates that the detection phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdatesInProgress** List of update IDs in progress.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteInstallStarted
+
+This event indicates that the install phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdatesInProgress** List of update IDs in progress.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr
+
+This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpediteErrorBitMap** Bit map value for any error code.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteResult** Boolean value for success or failure.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootRequired
+
+This event indicates that the device has finished servicing and a reboot is required. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdatesInProgress** Comma delimited list of update IDs currently being offered.
+- **ExpediteUsoLastError** Last HResult from the current USO session.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of UpdateHealthTools.
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanCompleted
+
+This event sends results of the expedite USO scan. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpediteErrorBitMap** Bit map value for any error code.
+- **ExpeditePolicyId** The policy ID of the expedite request.
+- **ExpediteResult** Boolean value for success or failure.
+- **ExpediteScheduledTaskCreated** Indicates whether the scheduled task was created (true/false).
+- **ExpediteScheduledTaskHresult** HRESULT for scheduled task creation.
+- **ExpediteUpdaterCurrentUbr** The UBR of the device.
+- **ExpediteUpdaterExpectedUbr** The expected UBR of the device.
+- **ExpediteUpdaterMonitorResult** HRESULT of the USO monitoring.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdaterScanResult** HRESULT of the expedite USO scan.
+- **ExpediteUpdaterUsoResult** HRESULT of the USO initialization and resume API calls.
+- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false).
+
+
+### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanStarted
+
+This event sends telemetry that USO scan has been started. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **ExpediteErrorBitMap** Bit map value for any error code.
+- **ExpeditePolicyId** The policy Id of the expedite request.
+- **ExpediteResult** Boolean value for success or failure.
+- **ExpediteUpdaterCurrentUbr** The UBR of the device.
+- **ExpediteUpdaterExpectedUbr** The expected UBR of the device.
+- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited.
+- **ExpediteUpdaterUsoIntiatedScan** True when USO scan has been called.
+- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session.
+- **ExpediteUsoLastError** The last error returned by USO.
+- **GlobalEventCounter** Counts the number of events for this provider.
+- **PackageVersion** The package version label.
+- **UsoFrequencyKey** Indicates whether the USO frequency key was found on the device (true/false).
+
+
+### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerEnd
+
+This event indicates that the unified installer has completed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** The event counter for telemetry events on the device for currency tools.
+- **PackageVersion** The package version label for currency tools.
+- **UnifiedInstallerInstallResult** The final result code for the unified installer.
+- **UnifiedInstallerPlatformResult** The result code from determination of the platform type.
+- **UnifiedInstallerPlatformType** The enum indicating the platform type.
+
+
+### Microsoft.Windows.UpdateHealthTools.UnifiedInstallerStart
+
+This event indicates that the installation has started for the unified installer. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** Counts the events at the global level for telemetry.
+- **PackageVersion** The package version for currency tools.
+- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined.
+- **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy.
+- **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy.
+- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ.
+- **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined.
+- **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined.
+- **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU.
+- **UnifiedInstallerDeviceIsEducationSkuHresult** The result code from checking whether a device is Education SKU.
+- **UnifiedInstallerDeviceIsEnterpriseSku** Boolean indicating whether a device is Enterprise SKU.
+- **UnifiedInstallerDeviceIsEnterpriseSkuHresult** The result code from checking whether a device is Enterprise SKU.
+- **UnifiedInstallerDeviceIsHomeSku** Boolean indicating whether a device is Home SKU.
+- **UnifiedInstallerDeviceIsHomeSkuHresult** The result code from checking whether device is Home SKU.
+- **UnifiedInstallerDeviceIsMdmManaged** Boolean indicating whether a device is MDM managed.
+- **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed.
+- **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU.
+- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
+- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
+- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
+- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
+- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
+- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded
+
+This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of remediation.
+- **UpdateHealthToolsDeviceSccmManaged** Device is managed by SCCM.
+- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise.
+- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploadFailed
+
+This event provides information for device which failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Telemetry event counter.
+- **PackageVersion** Version label of the package sending telemetry.
+- **UpdateHealthToolsEnterpriseActionResult** Result of running the tool expressed as an HRESULT.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationCompleted
+
+This event is received when a push notification has been completed by the UpdateHealthTools service. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of UpdateHealthTools.
+- **UpdateHealthToolsEnterpriseActionResult** The HRESULT return by the enterprise action.
+- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationReceived
+
+This event is received when the UpdateHealthTools service receives a push notification. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of UpdateHealthTools.
+- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
+- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push.
+- **UpdateHealthToolsPushCurrentChannel** The channel used to receive notification.
+- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push.
+- **UpdateHealthToolsPushCurrentStep** The current step for the push notification.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationStatus
+
+This event is received when there is status on a push notification. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of UpdateHealthTools.
+- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
+- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push.
+- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push.
+- **UpdateHealthToolsPushCurrentStep** The current step for the push notification
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoAADJoin
+
+This event indicates that the device is not AAD joined so service stops. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of UpdateHealthTools.
+
+
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted
+
+This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of remediation.
+
+
## Update events
+### Update360Telemetry.Revert
+
+This event sends data relating to the Revert phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the Revert phase.
+- **FlightId** Unique ID for the flight (test instance version).
+- **ObjectId** The unique value for each Update Agent mode.
+- **RebootRequired** Indicates reboot is required.
+- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **RevertResult** The result code returned for the Revert operation.
+- **ScenarioId** The ID of the update scenario.
+- **SessionId** The ID of the update attempt.
+- **UpdateId** The ID of the update.
+
+
+### Update360Telemetry.UpdateAgentCommit
+
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean that indicates whether cancel was requested.
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentDownloadRequest
+
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean indicating whether a cancel was requested.
+- **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload.
+- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted.
+- **DownloadComplete** Indicates if the download is complete.
+- **DownloadedSizeCanonical** Cumulative size (in bytes) of downloaded canonical content.
+- **DownloadedSizeDiff** Cumulative size (in bytes) of downloaded diff content.
+- **DownloadedSizeExpress** Cumulative size (in bytes) of downloaded express content.
+- **DownloadedSizePSFX** Cumulative size (in bytes) of downloaded PSFX content.
+- **DownloadRequests** Number of times a download was retried.
+- **ErrorCode** The error code returned for the current download request phase.
+- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId** Unique ID for each flight.
+- **InternalFailureResult** Indicates a non-fatal error from a plugin.
+- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable.
+- **PackageCountOptional** Number of optional packages requested.
+- **PackageCountRequired** Number of required packages requested.
+- **PackageCountTotal** Total number of packages needed.
+- **PackageCountTotalCanonical** Total number of canonical packages.
+- **PackageCountTotalDiff** Total number of diff packages.
+- **PackageCountTotalExpress** Total number of express packages.
+- **PackageCountTotalPSFX** The total number of PSFX packages.
+- **PackageExpressType** Type of express package.
+- **PackageSizeCanonical** Size of canonical packages in bytes.
+- **PackageSizeDiff** Size of diff packages in bytes.
+- **PackageSizeExpress** Size of express packages in bytes.
+- **PackageSizePSFX** The size of PSFX packages, in bytes.
+- **RangeRequestState** Indicates the range request type used.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the download request phase of update.
+- **SandboxTaggedForReserves** The sandbox for reserves.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentExpand
+
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean that indicates whether a cancel was requested.
+- **CanonicalRequestedOnError** Indicates if an error caused a reversion to a different type of compressed update (TRUE or FALSE).
+- **ElapsedTickCount** Time taken for expand phase.
+- **EndFreeSpace** Free space after expand phase.
+- **EndSandboxSize** Sandbox size after expand phase.
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **StartFreeSpace** Free space before expand phase.
+- **StartSandboxSize** Sandbox size after expand phase.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **FlightMetadata** Contains the FlightId and the build being flighted.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInstall
+
+This event sends data for the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean to indicate whether a cancel was requested.
+- **ErrorCode** The error code returned for the current install phase.
+- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **InternalFailureResult** Indicates a non-fatal error from a plugin.
+- **ObjectId** Correlation vector value generated from the latest USO scan.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** The result for the current install phase.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentMitigationResult
+
+This event sends data indicating the result of each update agent mitigation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** Indicates whether the mitigation is applicable for the current update.
+- **CommandCount** The number of command operations in the mitigation entry.
+- **CustomCount** The number of custom operations in the mitigation entry.
+- **FileCount** The number of file operations in the mitigation entry.
+- **FlightId** Unique identifier for each flight.
+- **Index** The mitigation index of this particular mitigation.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **Name** The friendly name of the mitigation.
+- **ObjectId** Unique value for each Update Agent mode.
+- **OperationIndex** The mitigation operation index (in the event of a failure).
+- **OperationName** The friendly name of the mitigation operation (in the event of failure).
+- **RegistryCount** The number of registry operations in the mitigation entry.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** The HResult of this operation.
+- **ScenarioId** The update agent scenario ID.
+- **SessionId** Unique value for each update attempt.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **UpdateId** Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentMitigationSummary
+
+This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** The count of mitigations that were applicable to the system and scenario.
+- **Failed** The count of mitigations that failed.
+- **FlightId** Unique identifier for each flight.
+- **MitigationScenario** The update scenario in which the mitigations were attempted.
+- **ObjectId** The unique value for each Update Agent mode.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** The HResult of this operation.
+- **ScenarioId** The update agent scenario ID.
+- **SessionId** Unique value for each update attempt.
+- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments).
+- **Total** Total number of mitigations that were available.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FlightId** Unique ID for each flight.
+- **Mode** Indicates the mode that has started.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+- **Version** Version of update
+
+
+### Update360Telemetry.UpdateAgentOneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Count** The count of applicable OneSettings for the device.
+- **FlightId** Unique ID for the flight (test instance version).
+- **ObjectId** The unique value for each Update Agent mode.
+- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result** The HResult of the event.
+- **ScenarioId** The ID of the update scenario.
+- **SessionId** The ID of the update attempt.
+- **UpdateId** The ID of the update.
+- **Values** The values sent back to the device, if applicable.
+
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current post reboot phase.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PostRebootResult** Indicates the Hresult.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **RollbackFailureReason** Indicates the cause of the rollback.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+- **UpdateOutputState** A numeric value indicating the state of the update at the time of reboot.
+
+
### Update360Telemetry.UpdateAgentReboot
-This event sends information indicating that a request has been sent to suspend an update.
+This event sends information indicating that a request has been sent to suspend an update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1129,20 +5577,276 @@ The following fields are available:
- **ObjectId** The unique value for each Update Agent mode.
- **Reason** Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0.
- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result** The HResult of the event.
- **ScenarioId** The ID of the update scenario.
- **SessionId** The ID of the update attempt.
- **UpdateId** The ID of the update.
- **UpdateState** Indicates the state of the machine when Suspend is called. For example, Install, Download, Commit.
+### Update360Telemetry.UpdateAgentSetupBoxLaunch
+
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ContainsExpressPackage** Indicates whether the download package is express.
+- **FlightId** Unique ID for each flight.
+- **FreeSpace** Free space on OS partition.
+- **InstallCount** Number of install attempts using the same sandbox.
+- **ObjectId** Unique value for each Update Agent mode.
+- **Quiet** Indicates whether setup is running in quiet mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **SandboxSize** Size of the sandbox.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **SetupLaunchAttemptCount** Indicates the count of attempts to launch setup for the current Update Agent instance.
+- **SetupMode** Mode of setup to be launched.
+- **UpdateId** Unique ID for each Update.
+- **UserSession** Indicates whether install was invoked by user actions.
+
+
+## Update notification events
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
+
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** Current catalog version of UNP.
+- **ContentVersion** Content version for the current campaign on UNP.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion** Current UNP package version.
+
+
## Upgrade events
+### FacilitatorTelemetry.DCATDownload
+
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **DownloadSize** Download size of payload.
+- **ElapsedTime** Time taken to download payload.
+- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade.
+- **ResultCode** Result returned by the Facilitator DCAT call.
+- **Scenario** Dynamic update scenario (Image DU, or Setup DU).
+- **Type** Type of package that was downloaded.
+- **UpdateId** The ID of the update that was downloaded.
+
+
+### FacilitatorTelemetry.DUDownload
+
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **PackageCategoriesFailed** Lists the categories of packages that failed to download.
+- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped.
+
+
+### FacilitatorTelemetry.InitializeDU
+
+This event determines whether devices received additional or critical supplemental content during an OS upgrade. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DownloadRequestAttributes** The attributes we send to DCAT.
+- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes.
+- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
+- **Url** The Delivery Catalog (DCAT) URL we send the request to.
+- **Version** Version of Facilitator.
+
+
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the downlevel OS.
+- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** More detailed information about phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
+- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
+- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** An ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+
+
+### Setup360Telemetry.Finalize
+
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.OsUninstall
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.PostRebootInstall
+
+This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
+
+
+### Setup360Telemetry.PreDownloadQuiet
+
+This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreDownloadUX
+
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous operating system.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.PreInstallQuiet
+
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreInstallUX
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** Windows Update client ID.
+
+
### Setup360Telemetry.Setup360
This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
The following fields are available:
+- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FieldName** Retrieves the data point.
- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
@@ -1151,6 +5855,84 @@ The following fields are available:
- **Value** Retrieves the value associated with the corresponding FieldName.
+### Setup360Telemetry.Setup360DynamicUpdate
+
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
+- **Operation** Facilitator's last known operation (scan, download, etc.).
+- **ReportId** ID for tying together events stream side.
+- **ResultCode** Result returned for the entire setup operation.
+- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
+- **ScenarioId** Identifies the update scenario.
+- **TargetBranch** Branch of the target OS.
+- **TargetBuild** Build of the target OS.
+
+
+### Setup360Telemetry.Setup360MitigationResult
+
+This event sends data indicating the result of each setup mitigation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** TRUE if the mitigation is applicable for the current update.
+- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **CommandCount** The number of command operations in the mitigation entry.
+- **CustomCount** The number of custom operations in the mitigation entry.
+- **FileCount** The number of file operations in the mitigation entry.
+- **FlightData** The unique identifier for each flight (test release).
+- **Index** The mitigation index of this particular mitigation.
+- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **Name** The friendly (descriptive) name of the mitigation.
+- **OperationIndex** The mitigation operation index (in the event of a failure).
+- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure).
+- **RegistryCount** The number of registry operations in the mitigation entry.
+- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result** HResult of this operation.
+- **ScenarioId** Setup360 flow type.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+
+
+### Setup360Telemetry.Setup360MitigationSummary
+
+This event sends a summary of all the setup mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** The count of mitigations that were applicable to the system and scenario.
+- **ClientId** The Windows Update client ID passed to Setup.
+- **Failed** The count of mitigations that failed.
+- **FlightData** The unique identifier for each flight (test release).
+- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario** The update scenario in which the mitigations were attempted.
+- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result** HResult of this operation.
+- **ScenarioId** Setup360 flow type.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **Total** The total number of mitigations that were available.
+
+
+### Setup360Telemetry.Setup360OneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** The Windows Update client ID passed to Setup.
+- **Count** The count of applicable OneSettings for the device.
+- **FlightData** The ID for the flight (test instance version).
+- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
+- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **ReportId** The Update ID passed to Setup.
+- **Result** The HResult of the event error.
+- **ScenarioId** The update scenario ID.
+- **Values** Values sent back to the device, if applicable.
+
+
### Setup360Telemetry.UnexpectedEvent
This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
@@ -1158,6 +5940,7 @@ This event sends data indicating that the device has invoked the unexpected even
The following fields are available:
- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
- **HostOSBuildNumber** The build number of the previous OS.
- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
@@ -1172,11 +5955,506 @@ The following fields are available:
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+## Windows as a Service diagnostic events
+
+### Microsoft.Windows.WaaSMedic.DetectionFailed
+
+This event is sent when WaaSMedic fails to apply the named diagnostic. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **diagnostic** Parameter where the diagnostic failed.
+- **hResult** Error code from attempting the diagnostic.
+- **isDetected** Flag indicating whether the condition was detected.
+- **pluginName** Name of the attempted diagnostic.
+- **versionString** The version number of the remediation engine.
+
+
+### Microsoft.Windows.WaaSMedic.EngineFailed
+
+This event indicates failure during medic engine execution. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **hResult** Error code from the execution.
+- **versionString** Version of Medic engine.
+
+
+### Microsoft.Windows.WaaSMedic.RemediationFailed
+
+This event is sent when the WaaS Medic update stack remediation tool fails to apply a described resolution to a problem that is blocking Windows Update from operating correctly on a target device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **diagnostic** Parameter where the resolution failed.
+- **hResult** Error code that resulted from attempting the resolution.
+- **isRemediated** Indicates whether the condition was remediated.
+- **pluginName** Name of the attempted resolution.
+- **versionString** Version of the engine.
+
+
+### Microsoft.Windows.WaaSMedic.SummaryEvent
+
+This event provides the result of the WaaSMedic operation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **callerApplication** The name of the calling application.
+- **capsuleCount** The number of Sediment Pack capsules.
+- **capsuleFailureCount** The number of capsule failures.
+- **detectionSummary** Result of each applicable detection that was run.
+- **featureAssessmentImpact** WaaS Assessment impact for feature updates.
+- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic.
+- **hrEngineResult** Error code from the engine operation.
+- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox.
+- **initSummary** Summary data of the initialization method.
+- **isInteractiveMode** The user started a run of WaaSMedic.
+- **isManaged** Device is managed for updates.
+- **isWUConnected** Device is connected to Windows Update.
+- **noMoreActions** No more applicable diagnostics.
+- **pluginFailureCount** The number of plugins that have failed.
+- **pluginsCount** The number of plugins.
+- **qualityAssessmentImpact** WaaS Assessment impact for quality updates.
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **usingBackupFeatureAssessment** Relying on backup feature assessment.
+- **usingBackupQualityAssessment** Relying on backup quality assessment.
+- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run.
+- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run.
+- **versionString** Version of the WaaSMedic engine.
+- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
+
+
+## Windows Defender events
+
+### Microsoft.Windows.Sense.Client.PerformanceScript.OnboardingScript
+
+This event is triggered whenever WDATP onboarding script is run. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **Message** Error message.
+
+
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+
+The following fields are available:
+
+- **BootId** Uint32 identifying the boot number for this device.
+- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
+- **BugCheckParameter1** Uint64 parameter providing additional information.
+- **BugCheckParameter2** Uint64 parameter providing additional information.
+- **BugCheckParameter3** Uint64 parameter providing additional information.
+- **BugCheckParameter4** Uint64 parameter providing additional information.
+- **DumpFileAttributes** Codes that identify the type of data contained in the dump file
+- **DumpFileSize** Size of the dump file
+- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
+- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+
+
+## Windows Hardware Error Architecture events
+
+### WheaProvider.WheaDriverErrorExternal
+
+This event is sent when a common platform hardware error is recorded by an external WHEA error source driver. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **creatorId** A GUID that identifies the entity that created the error record.
+- **errorFlags** Flags set on the error record.
+- **notifyType** A GUID that identifies the notification mechanism by which an error condition is reported to the operating system.
+- **partitionId** A GUID that identifies the partition on which the hardware error occurred.
+- **platformId** A GUID that identifies the platform on which the hardware error occurred.
+- **record** A binary blob containing the full error record. Due to the nature of common platform error records we have no way of fully parsing this blob for any given record.
+- **recordId** The identifier of the error record. This identifier is unique only on the system that created the error record.
+- **sectionFlags** The flags for each section recorded in the error record.
+- **sectionTypes** A GUID that represents the type of sections contained in the error record.
+- **severityCount** The severity of each individual section.
+- **timeStamp** Error time stamp as recorded in the error record.
+
+
+### WheaProvider.WheaDriverErrorExternalNonCritical
+
+This event is sent when a common platform hardware error is recorded by an external WHEA error source driver. These records are for events that can happen at high rates. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **creatorId** A GUID that identifies the entity that created the error record.
+- **errorFlags** Flags set on the error record.
+- **notifyType** A GUID that identifies the notification mechanism by which an error condition is reported to the operating system.
+- **partitionId** A GUID that identifies the partition on which the hardware error occurred.
+- **platformId** A GUID that identifies the platform on which the hardware error occurred.
+- **record** A binary blob containing the full error record. Due to the nature of common platform error records we have no way of fully parsing this blob for any given record.
+- **recordId** The identifier of the error record. This identifier is unique only on the system that created the error record.
+- **sectionFlags** The flags for each section recorded in the error record.
+- **sectionTypes** A GUID that represents the type of sections contained in the error record.
+- **severityCount** The severity of each individual section.
+- **timeStamp** Error time stamp as recorded in the error record.
+
+
+### WheaProvider.WheaDriverExternalLogginLimitReached
+
+This event indicates that WHEA has reached the logging limit for critical events from external drivers. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **timeStamp** Time at which the logging limit was reached.
+
+
+### WheaProvider.WheaErrorRecord
+
+This event collects data about common platform hardware error recorded by the Windows Hardware Error Architecture (WHEA) mechanism. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **creatorId** The unique identifier for the entity that created the error record.
+- **errorFlags** Any flags set on the error record.
+- **notifyType** The unique identifier for the notification mechanism which reported the error to the operating system.
+- **partitionId** The unique identifier for the partition on which the hardware error occurred.
+- **platformId** The unique identifier for the platform on which the hardware error occurred.
+- **record** A collection of binary data containing the full error record.
+- **recordId** The identifier of the error record.
+- **sectionFlags** The flags for each section recorded in the error record.
+- **sectionTypes** The unique identifier that represents the type of sections contained in the error record.
+- **severityCount** The severity of each individual section.
+- **timeStamp** The error time stamp as recorded in the error record.
+
+
+## Windows Store events
+
+### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+
+This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The Item Bundle ID.
+- **CategoryId** The Item Category ID.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Was this requested by a user?
+- **IsMandatory** Was this a mandatory update?
+- **IsRemediation** Was this a remediation install?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Flag indicating if this is an update.
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The product family name of the product being installed.
+- **ProductId** The identity of the package or packages being installed.
+- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
+- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber** The total number of attempts to acquire this product.
+- **BundleId** The bundle ID
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** HResult code to show the result of the operation (success/failure).
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Did the user initiate the installation?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this happening after a device restore?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
+- **UserAttemptNumber** The number of attempts by the user to acquire this product
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The identity of the Windows Insider build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **DownloadSize** The total size of the download.
+- **ExtendedHResult** Any extended HResult error codes.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this initiated by the user?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this a restore of a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** The Product Family Name of the app being download.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to download.
+- **UserAttemptNumber** The number of attempts by the user to download.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **ExtendedHResult** The extended HResult error code.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this an interactive installation?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsApplicability** Is this request to only check if there are any applicable packages to install?
+- **IsInteractive** Is this user requested?
+- **IsOnline** Is the request doing an online check?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of system attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+This event is sent at the end of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The name of the product catalog from which this app was chosen.
+- **FailedRetry** Indicates whether the installation or update retry was successful.
+- **HResult** The HResult code of the operation.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The name of the product catalog from which this app was chosen.
+- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **BundleId** The identity of the build associated with this product.
+- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specific edition ID being installed.
+- **VolumePath** The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The Product Full Name.
+- **PreviousHResult** The result code of the last action performed before this operation.
+- **PreviousInstallState** Previous state before the installation or update was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **IsUserRetry** Did the user initiate the retry?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **PreviousHResult** The previous HResult error code.
+- **PreviousInstallState** Previous state before the installation was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector for the original install before it was resumed.
+- **ResumeClientId** The ID of the app that initiated the resume operation.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
+
+This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId** The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
+
+This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The Store Catalog ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specfic edition of the app being updated.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
+
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CatalogId** The ID for the product being installed if the product is from a private catalog, such as the Enterprise catalog.
+- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product.
+- **HResult** The resulting HResult error/success code of this operation.
+- **NewState** The current fulfillment state of this product.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **PluginLastStage** The most recent product fulfillment step that the plug-in has reported (different than its state).
+- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in.
+- **Prevstate** The previous fulfillment state of this product.
+- **ProductId** Product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
+
+This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFamN** The name of the app that is requested for update.
+
+
## Windows Update CSP events
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed
-This event sends basic telemetry on the failure of the Feature Rollback.
+This event sends basic telemetry on the failure of the Feature Rollback. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1190,6 +6468,240 @@ The following fields are available:
- **wUfBConnected** Result of WUfB connection check.
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
+
+This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **sacDevice** Represents the device info.
+- **wUfBConnected** Result of WUfB connection check.
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
+
+This event sends basic information indicating that Feature Rollback has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable
+
+This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **sacDevice** Device in the semi-annual channel.
+- **wUfBConnected** Result of WUfB connection check.
+
+
+## Windows Update Delivery Optimization events
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
+
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download being done in the background?
+- **bytesFromCacheServer** Bytes received from a cache host.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromLinkLocalPeers** The number of bytes received from local peers.
+- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp** The IP Address of the source CDN (Content Delivery Network).
+- **cdnUrl** The URL of the source CDN (Content Delivery Network).
+- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
+- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **predefinedCallerName** The name of the API Caller.
+- **reasonCode** Reason the action or event occurred.
+- **routeToCacheServer** The cache server setting, source, and value.
+- **sessionID** The ID of the file download session.
+- **updateID** The ID of the update being downloaded.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
+
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **bytesFromCacheServer** Bytes received from a cache host.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromLinkLocalPeers** The number of bytes received from local peers.
+- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **bytesRequested** The total number of bytes requested for download.
+- **cacheServerConnectionCount** Number of connections made to cache hosts.
+- **cdnConnectionCount** The total number of connections made to the CDN.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp** The IP address of the source CDN.
+- **cdnUrl** Url of the source Content Distribution Network (CDN).
+- **congestionPrevention** Indicates a download may have been suspended to prevent network congestion.
+- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
+- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
+- **downlinkUsageBps** The download speed (in bytes per second).
+- **downloadMode** The download mode used for this file download session.
+- **downloadModeReason** Reason for the download.
+- **downloadModeSrc** Source of the DownloadMode setting.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **expiresAt** The time when the content will expire from the Delivery Optimization Cache.
+- **fileID** The ID of the file being downloaded.
+- **fileSize** The size of the file being downloaded.
+- **groupConnectionCount** The total number of connections made to peers in the same group.
+- **groupID** A GUID representing a custom group of devices.
+- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
+- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download.
+- **isThrottled** Event Rate throttled (event represents aggregated data).
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **lanConnectionCount** The total number of connections made to peers in the same LAN.
+- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network.
+- **numPeers** The total number of peers used for this download.
+- **numPeersLocal** The total number of local peers used for this download.
+- **predefinedCallerName** The name of the API Caller.
+- **restrictedUpload** Is the upload restricted?
+- **routeToCacheServer** The cache server setting, source, and value.
+- **sessionID** The ID of the download session.
+- **totalTimeMs** Duration of the download (in seconds).
+- **updateID** The ID of the update being downloaded.
+- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
+- **uplinkUsageBps** The upload speed (in bytes per second).
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadHungItself
+
+This event sends data describing a download that has become unexpectedly stuck to enable Delivery Optimization to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background** Indicates if the download is happening in the background.
+- **cdnIp** Indicates the IP Address of the source CDN.
+- **cdnUrl** Represents the URL of the source CDN.
+- **errorCode** Indicates the error code returned.
+- **experimentId** Used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID** Represents the ID of the file being downloaded.
+- **isVpn** Indicates if the machine is connected to a Virtual Private Network.
+- **jobID** Identifier for the Windows Update Job.
+- **predefinedCallerName** Represents the name of the API Caller.
+- **progressPercent** Indicates the percent of download completed.
+- **sessionID** Indicates the ID for the file download session.
+- **updateID** Represents the ID of the update being downloaded.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
+
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **cdnUrl** The URL of the source CDN (Content Delivery Network).
+- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being paused.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **predefinedCallerName** The name of the API Caller object.
+- **reasonCode** The reason for pausing the download.
+- **routeToCacheServer** The cache server setting, source, and value.
+- **sessionID** The ID of the download session.
+- **updateID** The ID of the update being paused.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Indicates whether the download is happening in the background.
+- **bytesRequested** Number of bytes requested for the download.
+- **cdnUrl** The URL of the source Content Distribution Network (CDN).
+- **costFlags** A set of flags representing network cost.
+- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM).
+- **diceRoll** Random number used for determining if a client will use peering.
+- **doClientVersion** The version of the Delivery Optimization client.
+- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **downloadModeReason** Reason for the download.
+- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **errorCode** The error code that was returned.
+- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID** The ID of the file being downloaded.
+- **filePath** The path to where the downloaded file will be written.
+- **fileSize** Total file size of the file that was downloaded.
+- **fileSizeCaller** Value for total file size provided by our caller.
+- **groupID** ID for the group.
+- **isEncrypted** Indicates whether the download is encrypted.
+- **isThrottled** Indicates the Event Rate was throttled (event represent aggregated data).
+- **isVpn** Indicates whether the device is connected to a Virtual Private Network.
+- **jobID** The ID of the Windows Update job.
+- **peerID** The ID for this delivery optimization client.
+- **predefinedCallerName** Name of the API caller.
+- **routeToCacheServer** Cache server setting, source, and value.
+- **sessionID** The ID for the file download session.
+- **setConfigs** A JSON representation of the configurations that have been set, and their sources.
+- **updateID** The ID of the update being downloaded.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **cdnHeaders** The HTTP headers returned by the CDN.
+- **cdnIp** The IP address of the CDN.
+- **cdnUrl** The URL of the CDN.
+- **errorCode** The error code that was returned.
+- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **httpStatusCode** The HTTP status code returned by the CDN.
+- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
+- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.).
+- **requestOffset** The byte offset within the file in the sent request.
+- **requestSize** The size of the range requested from the CDN.
+- **responseSize** The size of the range response received from the CDN.
+- **sessionID** The ID of the download session.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.JobError
+
+This event represents a Windows Update job error. It allows for investigation of top errors. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **cdnIp** The IP Address of the source CDN (Content Delivery Network).
+- **doErrorCode** Error code returned for delivery optimization.
+- **errorCode** The error code returned.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **jobID** The Windows Update job ID.
+- **predefinedCallerName** Name of the API Caller.
+
+
## Windows Update events
### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
@@ -1204,59 +6716,839 @@ The following fields are available:
- **WuClientId** The GUID of the Windows Update client invoking DMF
-## XBOX events
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
-### Microsoft.Gaming.Install.ResurrectedInstall
-
-This event is logged when app installation resumes on Xbox console.
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
-- **InstanceId** App install instance ID.
-- **Result** App install resume result.
+- **activated** Whether the entire device manifest update is considered activated and in use.
+- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis.
+- **flightId** Unique ID for each flight.
+- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system.
+- **missingUpdateCount** The number of updates in the device manifest that are missing from the system.
+- **objectId** Unique value for each diagnostics session.
+- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** Indicates the update scenario.
+- **sessionId** Unique value for each update session.
+- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
+- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
+- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string.
+- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string.
+- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
+- **updateId** The unique ID for each update.
-### Microsoft.Xbox.XceBridge.CS.1.0.0.9.0.2.SFR.ConnectedStandbyEnterEnd
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
-This event is triggered when connected standby is finished activating.
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** Unique value for each Update Agent mode.
+- **packageCountOptional** Number of optional packages requested.
+- **packageCountRequired** Number of required packages requested.
+- **packageCountTotal** Total number of packages needed.
+- **packageCountTotalCanonical** Total number of canonical packages.
+- **packageCountTotalDiff** Total number of diff packages.
+- **packageCountTotalExpress** Total number of express packages.
+- **packageSizeCanonical** Size of canonical packages in bytes.
+- **packageSizeDiff** Size of diff packages in bytes.
+- **packageSizeExpress** Size of express packages in bytes.
+- **rangeRequestState** Represents the state of the download range request.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the download request phase of update.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **flightMetadata** Contains the FlightId and the build being flighted.
+- **objectId** Unique value for each Update Agent mode.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
+
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current install phase.
+- **flightId** The unique identifier for each flight.
+- **objectId** The unique identifier for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Outcome of the install phase of the update.
+- **scenarioId** The unique identifier for the update scenario.
+- **sessionId** The unique identifier for each update session.
+- **updateId** The unique identifier for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **flightId** The unique identifier for each flight.
+- **mode** The mode that is starting.
+- **objectId** The unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique identifier for each update.
+
+
+### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
+
+This event indicates that a notification dialog box is about to be displayed to user. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown.
+- **DaysSinceRebootRequired** Number of days since restart was required.
+- **DeviceLocalTime** The local time on the device sending the event.
+- **EngagedModeLimit** The number of days to switch between DTE dialog boxes.
+- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode.
+- **ETag** OneSettings versioning value.
+- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device.
+- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device.
+- **NotificationUxState** Indicates which dialog box is shown.
+- **NotificationUxStateString** Indicates which dialog box is shown.
+- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootVersion** Version of DTE.
+- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
+
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time on the device sending the event.
+- **EnterpriseAttributionValue** Indicates whether the Enterprise attribution is on in this dialog box.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose on this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
+
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time of the device sending the event.
+- **EnterpriseAttributionValue** Indicates whether the Enterprise attribution is on in this dialog box.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
+
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DeviceLocalTime** Time the dialog box was shown on the local device.
+- **EnterpriseAttributionValue** Indicates whether the Enterprise attribution is on in this dialog box.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose in this dialog box.
+- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog
+
+This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings).
+- **EnterpriseAttributionValue** Indicates whether Enterprise attribution is on for this dialog.
+- **ETag** The OneSettings versioning value.
+- **ExitCode** Indicates how users exited the reboot reminder dialog box.
+- **RebootVersion** The version of the DTE (Direct-to-Engaged).
+- **UpdateId** The ID of the update that is waiting for reboot to finish installation.
+- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation.
+- **UserResponseString** The option chosen by the user on the reboot dialog box.
+- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC).
+
+
+### Microsoft.Windows.Update.NotificationUx.RebootScheduled
+
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows secure and up-to-date by indicating when a reboot is scheduled by the system or a user for a security, quality, or feature update.
+
+The following fields are available:
+
+- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device.
+- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot.
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours.
+- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically).
+- **rebootState** The current state of the restart.
+- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler.
+- **revisionNumber** Revision number of the update that is getting installed with this restart.
+- **scheduledRebootTime** Time of the scheduled restart.
+- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time.
+- **updateId** ID of the update that is getting installed with this restart.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext** The function where the failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
+
+### Microsoft.Windows.Update.Orchestrator.ActivityError
+
+This event measures overall health of UpdateOrchestrator. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **wilActivity** This struct provides a Windows Internal Library context used for Product and Service diagnostics. See [wilActivity](#wilactivity).
+
+
+### Microsoft.Windows.Update.Orchestrator.DeferRestart
+
+This event indicates that a restart required for installing updates was postponed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **displayNeededReason** List of reasons for needing display.
+- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery).
+- **gameModeReason** Name of the executable that caused the game mode state check to start.
+- **ignoredReason** List of reasons that were intentionally ignored.
+- **IgnoreReasonsForRestart** List of reasons why restart was deferred.
+- **revisionNumber** Update ID revision number.
+- **systemNeededReason** List of reasons why system is needed.
+- **updateId** Update ID.
+- **updateScenarioType** Update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.DetectionActivity
+
+This event returns data about detected updates, as well as the types of update (optional or recommended). This data helps keep Windows up to date.
+
+The following fields are available:
+
+- **applicableUpdateIdList** The list of update identifiers.
+- **applicableUpdateList** The list of available updates.
+- **durationInSeconds** The amount of time (in seconds) it took for the event to run.
+- **expeditedMode** Indicates whether Expedited Mode is on.
+- **scanTriggerSource** Indicates whether the scan is Interactive or Background.
+- **scenario** The result code of the event.
+- **scenarioReason** The reason for the result code (scenario).
+- **seekerUpdateIdList** The list of “seeker” update identifiers.
+- **seekerUpdateList** The list of “seeker” updates.
+- **services** The list of services that were called during update.
+- **wilActivity** The activity results. See [wilActivity](#wilactivity).
+
+
+### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
+
+This event indicates the reboot was postponed due to needing a display. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **displayNeededReason** Reason the display is needed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
+- **revisionNumber** Revision number of the update.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### Microsoft.Windows.Update.Orchestrator.Download
+
+This event sends launch data for a Windows Update download to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **deferReason** Reason for download not completing.
+- **errorCode** An error code represented as a hexadecimal value.
+- **eventScenario** End-to-end update session ID.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Indicates whether the session is user initiated.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask
+
+This event indicated that USO failed to add a trigger time to a task. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **errorCode** The Windows Update error code.
+- **wuDeviceid** The Windows Update device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
+
+This event sends data on whether the update was applicable to the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **EventPublishedTime** Time when this event was generated.
+- **flightID** The specific ID of the Windows Insider build.
+- **inapplicableReason** The reason why the update is inapplicable.
+- **revisionNumber** Update revision number.
+- **updateId** Unique Windows Update ID.
+- **updateScenarioType** Update session type.
+- **UpdateStatus** Last status of update.
+- **UUPFallBackConfigured** Indicates whether UUP fallback is configured.
+- **wuDeviceid** Unique Device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
+
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **EventPublishedTime** Time of the event.
+- **flightID** Unique update ID
+- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
+- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
+- **revisionNumber** Revision number of the update.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.Install
+
+This event sends launch data for a Windows Update install to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **deferReason** Reason for install not completing.
+- **errorCode** The error code reppresented by a hexadecimal value.
+- **eventScenario** End-to-end update session ID.
+- **flightID** The ID of the Windows Insider build the device is getting.
+- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored.
+- **interactive** Identifies if session is user initiated.
+- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.RebootFailed
+
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **deferReason** Reason for install not completing.
+- **EventPublishedTime** The time that the reboot failure occurred.
+- **flightID** Unique update ID.
+- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours.
+- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.RefreshSettings
+
+This event sends basic data about the version of upgrade settings applied to the system to help keep Windows secure and up to date.
-### NuiServiceTelemetryProvider.DriverSensorFirmwareVersion
+### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
-This event reports the version of the currently installed firmware.
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for.
+- **RebootTaskRestoredTime** Time at which this reboot task was restored.
+- **wuDeviceid** Device ID for the device on which the reboot is restored.
+
+
+### Microsoft.Windows.Update.Orchestrator.ScanTriggered
+
+This event indicates that Update Orchestrator has started a scan operation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **interactive** Indicates whether the scan is interactive.
+- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system.
+- **isScanPastSla** Indicates whether the SLA has elapsed for scanning.
+- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan.
+- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA.
+- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA.
+- **scanTriggerSource** Indicates what caused the scan.
+- **updateScenarioType** The update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.StickUpdate
+
+This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **updateId** Identifier associated with the specific piece of content.
+- **wuDeviceid** Unique device ID controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+
+This event sends data about why a device is unable to reboot, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **eventScenario** End-to-end update session ID.
+- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber** Update revision number.
+- **systemNeededReason** List of apps or tasks that are preventing the system from restarting.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorInvalidSignature
+
+This event is sent when an updater has attempted to register a binary that is not signed by Microsoft. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **updaterCmdLine** The callback executable for the updater.
+- **updaterId** The ID of the updater.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkInvalidCmd
+
+This event indicates a critical error with the callback binary requested by the updater. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **updaterCmdLine** The command line requested by the updater.
+- **updaterId** The ID of the updater that requested the work.
+- **wuDeviceid** WU device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkNonSystem
+
+This event ensures that only callers with system or admin privileges are allowed to schedule work through Windows Update Universal Orchestrator. The data collected with this event is used to help keep Windows product and service secure.
+
+The following fields are available:
+
+- **updaterCmdLine** Updater Command Line.
+- **updaterId** Updater ID.
+- **wuDeviceid** Device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.UnstickUpdate
+
+This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **updateId** Identifier associated with the specific piece of content.
+- **wuDeviceid** Unique device ID controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState
+
+This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown.
+- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed.
+- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs.
+- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode.
+- **ETag** The Entity Tag that represents the OneSettings version.
+- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device.
+- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device.
+- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending.
+- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced.
+- **RebootVersion** The version of the DTE (Direct-to-Engaged).
+- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode.
+- **UpdateId** The ID of the update that is waiting for reboot to finish installation.
+- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
+
+This event is sent when a security update has successfully completed. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **UtcTime** The Coordinated Universal Time that the restart was no longer needed.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
+
+This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **activeHoursApplicable** Indicates whether Active Hours applies on this device.
+- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled.
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise.
+- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **rebootState** Current state of the reboot.
+- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler.
+- **revisionNumber** Revision number of the OS.
+- **scheduledRebootTime** Time scheduled for the reboot.
+- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC.
+- **updateId** Identifies which update is being scheduled.
+- **wuDeviceid** The unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
+
+This event sends basic information for scheduling a device restart to install security updates. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **activeHoursApplicable** Is the restart respecting Active Hours?
+- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE.
+- **rebootArgument** The arguments that are passed to the OS for the restarted.
+- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours?
+- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
+- **rebootState** The state of the restart.
+- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE.
+- **revisionNumber** The revision number of the OS being updated.
+- **scheduledRebootTime** Time of the scheduled reboot
+- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time.
+- **updateId** The Windows Update device GUID.
+- **wuDeviceid** The Windows Update device GUID.
+
+
+### Microsoft.Windows.Update.Ux.NotifyIcon.RebootScheduled
+
+This event is reported when user schedules restart. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **activeHoursApplicable** Indicates if active hours are applicable.
+- **IsEnhancedEngagedReboot** Indicates if enhanced engaged restarts applies.
+- **rebootArgument** Represents reboot argument.
+- **rebootOutsideOfActiveHours** Reboot outside of active hours.
+- **rebootScheduledByUser** Restart scheduled by the user.
+- **rebootState** Indicates reboot state.
+- **rebootUsingSmartScheduler** Reboot using Smart Scheduler.
+- **revisionNumber** Represents the revision number.
+- **scheduledRebootTime** Indicates scheduled reboot time.
+- **scheduledRebootTimeInUTC** Indicates scheduled reboot time in UTC.
+- **updateId** Represents update ID.
+- **wuDeviceid** Represents device ID.
+
+
+## Windows Update mitigation events
+
+### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
+
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** The client ID used by Windows Update.
+- **FlightId** The ID of each Windows Insider build the device received.
+- **InstanceId** A unique device ID that identifies each update instance.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **MountedImageCount** The number of mounted images.
+- **MountedImageMatches** The number of mounted image matches.
+- **MountedImagesFailed** The number of mounted images that could not be removed.
+- **MountedImagesRemoved** The number of mounted images that were successfully removed.
+- **MountedImagesSkipped** The number of mounted images that were not found.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** HResult of this operation.
+- **ScenarioId** ID indicating the mitigation scenario.
+- **ScenarioSupported** Indicates whether the scenario was supported.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each Windows Update.
+- **WuId** Unique ID for the Windows Update client.
+
+
+### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
+
+This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId** Unique identifier for each flight.
+- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ReparsePointsFailed** Number of reparse points that are corrupted but we failed to fix them.
+- **ReparsePointsFixed** Number of reparse points that were corrupted and were fixed by this mitigation.
+- **ReparsePointsSkipped** Number of reparse points that are not corrupted and no action is required.
+- **Result** HResult of this operation.
+- **ScenarioId** ID indicating the mitigation scenario.
+- **ScenarioSupported** Indicates whether the scenario was supported.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each Update.
+- **WuId** Unique ID for the Windows Update client.
+
+
+## Windows Update Reserve Manager events
+
+### Microsoft.Windows.UpdateReserveManager.BeginScenario
+
+This event is sent when the Update Reserve Manager is called to begin a scenario. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Flags** The flags that are passed to the begin scenario function.
+- **HardReserveSize** The size of the hard reserve.
+- **HardReserveUsedSpace** The used space in the hard reserve.
+- **OwningScenarioId** The scenario ID the client that called the begin scenario function.
+- **ReturnCode** The return code for the begin scenario operation.
+- **ScenarioId** The scenario ID that is internal to the reserve manager.
+- **SoftReserveSize** The size of the soft reserve.
+- **SoftReserveUsedSpace** The amount of soft reserve space that was used.
+
+
+### Microsoft.Windows.UpdateReserveManager.ClearReserve
+
+This event is sent when the Update Reserve Manager clears one of the reserves. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FinalReserveUsedSpace** The amount of used space for the reserve after it was cleared.
+- **InitialReserveUsedSpace** The amount of used space for the reserve before it was cleared.
+- **ReserveId** The ID of the reserve that needs to be cleared.
+
+
+### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content.
+- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition or removal of optional content.
+
+
+### Microsoft.Windows.UpdateReserveManager.EndScenario
+
+This event is sent when the Update Reserve Manager ends an active scenario. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ActiveScenario** The current active scenario.
+- **Flags** The flags passed to the end scenario call.
+- **HardReserveSize** The size of the hard reserve when the end scenario is called.
+- **HardReserveUsedSpace** The used space in the hard reserve when the end scenario is called.
+- **ReturnCode** The return code of this operation.
+- **ScenarioId** The ID of the internal reserve manager scenario.
+- **SoftReserveSize** The size of the soft reserve when end scenario is called.
+- **SoftReserveUsedSpace** The amount of the soft reserve used when end scenario is called.
+
+
+### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError
+
+This event is sent when the Update Reserve Manager returns an error from one of its internal functions. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FailedExpression** The failed expression that was returned.
+- **FailedFile** The binary file that contained the failed function.
+- **FailedFunction** The name of the function that originated the failure.
+- **FailedLine** The line number of the failure.
+- **ReturnCode** The return code of the function.
+
+
+### Microsoft.Windows.UpdateReserveManager.InitializeReserves
+
+This event is sent when reserves are initialized on the device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FallbackInitUsed** Indicates whether fallback initialization is used.
+- **FinalUserFreeSpace** The amount of user free space after initialization.
+- **Flags** The flags used in the initialization of Update Reserve Manager.
+- **FreeSpaceToLeaveInUpdateScratch** The amount of space that should be left free after using the reserves.
+- **HardReserveFinalSize** The final size of the hard reserve.
+- **HardReserveFinalUsedSpace** The used space in the hard reserve.
+- **HardReserveInitialSize** The size of the hard reserve after initialization.
+- **HardReserveInitialUsedSpace** The utilization of the hard reserve after initialization.
+- **HardReserveTargetSize** The target size that was set for the hard reserve.
+- **InitialUserFreeSpace** The user free space during initialization.
+- **PostUpgradeFreeSpace** The free space value passed into the Update Reserve Manager to determine reserve sizing post upgrade.
+- **SoftReserveFinalSize** The final size of the soft reserve.
+- **SoftReserveFinalUsedSpace** The used space in the soft reserve.
+- **SoftReserveInitialSize** The soft reserve size after initialization.
+- **SoftReserveInitialUsedSpace** The utilization of the soft reserve after initialization.
+- **SoftReserveTargetSize** The target size that was set for the soft reserve.
+- **TargetUserFreeSpace** The target user free space that was passed into the reserve manager to determine reserve sizing post upgrade.
+- **UpdateScratchFinalUsedSpace** The used space in the scratch reserve.
+- **UpdateScratchInitialUsedSpace** The utilization of the scratch reserve after initialization.
+- **UpdateScratchReserveFinalSize** The utilization of the scratch reserve after initialization.
+- **UpdateScratchReserveInitialSize** The size of the scratch reserve after initialization.
+
+
+### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager
+
+This event returns data about the Update Reserve Manager, including whether it’s been initialized. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** The ID of the caller application.
+- **Flags** The enumerated flags used to initialize the manager.
+- **FlightId** The flight ID of the content the calling client is currently operating with.
+- **Offline** Indicates whether or the reserve manager is called during offline operations.
+- **PolicyPassed** Indicates whether the machine is able to use reserves.
+- **ReturnCode** Return code of the operation.
+- **Version** The version of the Update Reserve Manager.
+
+
+### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization
+
+This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FallbackLogicUsed** Indicates whether fallback logic was used for initialization.
+- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization.
+
+
+### Microsoft.Windows.UpdateReserveManager.ReevaluatePolicy
+
+This event is sent when the Update Reserve Manager reevaluates policy to determine reserve usage. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **PolicyChanged** Indicates whether the policy has changed.
+- **PolicyFailedEnum** The reason why the policy failed.
+- **PolicyPassed** Indicates whether the policy passed.
+
+
+### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. The data collected with this event is used to help keep Windows secure and up to date.
-### NuiServiceTelemetryProvider.DriverSensorHardwareVersion
+### Microsoft.Windows.UpdateReserveManager.TurnOffReserves
-This event reports basic and raw hardware version of the NUI sensor. Also reports serial number.
+This event is sent when the Update Reserve Manager turns off reserve functionality for certain operations. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Flags** Flags used in the turn off reserves function.
+- **HardReserveSize** The size of the hard reserve when Turn Off is called.
+- **HardReserveUsedSpace** The amount of space used by the hard reserve when Turn Off is called
+- **ScratchReserveSize** The size of the scratch reserve when Turn Off is called.
+- **ScratchReserveUsedSpace** The amount of space used by the scratch reserve when Turn Off is called.
+- **SoftReserveSize** The size of the soft reserve when Turn Off is called.
+- **SoftReserveUsedSpace** The amount of the soft reserve used when Turn Off is called.
+### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment
-### NuiServiceTelemetryProvider.SensorFirmwareDeviceError
+This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. The data collected with this event is used to help keep Windows secure and up to date.
-This event reports sensor firmware device error.
+The following fields are available:
+
+- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content.
+- **Disposition** The parameter for the hard reserve adjustment function.
+- **Flags** The flags passed to the hard reserve adjustment function.
+- **PendingHardReserveAdjustment** The final change to the hard reserve size.
+- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve.
+## Winlogon events
-### SignInArbiter.AutoPairingGeneralInfo
+### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
-This event is reported at various times to note system state.
-
-
-
-### XceDiagnosticUploadable.UploaderPerfHeartbeat
-
-This event reports a digest of a number of different counters that are tracked locally by the uploader.
+This event signals the completion of the setup process. It happens only once during the first logon.
## XDE events
+### Microsoft.Emulator.Xde.RunTime.SystemReady
+
+This event sends basic information on the XDE application to understand and address performance issues relating to the emulator startup. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **timeTakenMilliseconds** Time in milliseconds it took to be ready for user interaction.
+- **usingSnapshot** True if using a snapshot.
+
+
### Microsoft.Emulator.Xde.RunTime.XdeStarted
-This event sends basic information regarding the XDE process to address problems with emulator start.
+This event sends basic information regarding the XDE process to address problems with emulator start. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -1270,6 +7562,7 @@ The following fields are available:
- **diffDiskVhd** Diff disk name.
- **displayName** Display name.
- **fastShutdown** True if should try to shutdown quickly.
+- **gpuDisabled** True if GPU is disabled.
- **language** Language to use for UI.
- **memSize** Memory size.
- **natDisabled** True if NAT is to be disabled.
@@ -1291,6 +7584,3 @@ The following fields are available:
- **virtualMachineName** VM name.
- **waitForClientConnection** True if we should wait for client connection.
- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled.
-
-
-
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index 2ac7d9dc79..e1011307d6 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -40,7 +40,7 @@ Transparency is an important part of the data collection process in Windows 10.
### 1.1 Device set up experience and support for layered transparency
-When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [this blog](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97).
+When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used, and how to manage the setting after the device setup is complete. When connected to the network during this portion of setup, the user can also review the privacy statement. A brief overview of the set up experience for privacy settings is described in [Windows Insiders get first look at new privacy screen settings layout coming to Windows 10](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97), a blog entry on Windows Blogs.
The following table provides an overview of the Windows 10 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.
@@ -168,7 +168,7 @@ If a user signs in to a Windows experience or app on their device with their Mic
## 4. Cross-border data transfers
-Microsoft complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States.
+Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders
Microsoft’s [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
index c4bb922fb2..da43880ca5 100644
--- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
@@ -121,6 +121,8 @@ The following methodology was used to derive the network endpoints:
| `www.bing.com`* | HTTP | Used for updates for Cortana, apps, and Live Tiles
| `www.msftconnecttest.com` | HTTP | Network Connection (NCSI)
| `www.office.com` | HTTPS | Microsoft Office
+| adl.windows.com | HTTP | Used for compatibility database updates for Windows
+| windows.policies.live.net | HTTP | OneDrive
## Windows 10 Pro
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index 357c78dd10..d0d7ff467f 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -12,7 +12,7 @@ ms.author: v-hakima
manager: obezeajo
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 7/22/2020
+ms.date: 08/18/2020
---
# Windows 10, version 1909, connection endpoints for non-Enterprise editions
@@ -83,6 +83,7 @@ The following methodology was used to derive the network endpoints:
|*.blob.core.windows.net|HTTP/TLS v1.2|Windows Telemetry
|storage.live.com|HTTP/TLS v1.2|OneDrive
|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|dm2302.settings.live.net|HTTP|OneDrive
|slscr.update.microsoft.com|HTTPS/TLS V1.2|Windows Update
|tile-service.weather.microsoft.com|HTTP|Used for the Weather app
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTP|This endpoint is used for content regulation
@@ -92,13 +93,15 @@ The following methodology was used to derive the network endpoints:
|www.bing.com|HTTPS/TLS v1.2|Cortana and Live Tiles
|www.msftconnecttest.com|HTTP|Network Connection Status Indicator (NCSI)
|wdcp.microsoft.com|HTTPS|Used for Windows Defender when Cloud-based Protection is enabled
+|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows
+|adl.windows.com|HTTP|Used for compatibility database updates for Windows
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.prod.do.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
-|api.onedrive.com|HTTP|One Drive
+|api.onedrive.com|HTTP|OneDrive
|smartscreen-prod.microsoft.com|HTTP|Used for Windows Defender SmartScreen reporting and notifications
|nav.smartscreen.microsoft.com|HTTPS/TLS v1.2|Windows Defender
|*.update.microsoft.com|HTTP|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
@@ -151,8 +154,11 @@ The following methodology was used to derive the network endpoints:
|www.bing.com|HTTPS/TLS v1.2|Cortana and Live Tiles
|www.msftconnecttest.com|HTTP|Network Connection Status Indicator (NCSI)
|outlook.office365.com|HTTP|Microsoft Office
-|storage.live.com|HTTP/TLS v1.2|One Drive
-|skydrivesync.policies.live.net|TLS v1.2|One Drive
+|storage.live.com|HTTP/TLS v1.2|OneDrive
+|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|windows.policies.live.net|HTTP|OneDrive
+|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows
+|adl.windows.com|HTTP|Used for compatibility database updates for Windows
## Windows 10 Education
@@ -166,7 +172,7 @@ The following methodology was used to derive the network endpoints:
|dmd.metaservices.microsoft.com|HTTP|Device metadata
|Inference.location.live.net|TLS v1.2|Location
|oneclient.sfx.ms|HTTPS|OneDrive
-|storage.live.com|HTTP/TLS v1.2|One Drive
+|storage.live.com|HTTP/TLS v1.2|OneDrive
|skydrivesync.policies.live.net|TLS v1.2|OneDrive
|slscr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
@@ -201,3 +207,4 @@ The following methodology was used to derive the network endpoints:
|outlook.office365.com|HTTP|Microsoft Office
|www.bing.com|TLS v1.2|Used for updates for Cortana, apps, and Live Tiles
|www.msftconnecttest.com|HTTP|Network Connection (NCSI)
+|adl.windows.com|HTTP|Used for compatibility database updates for Windows
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index dabc7f749b..2ae163cea6 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -470,7 +470,7 @@ Each default local account in Active Directory has a number of account settings
Account is trusted for delegation
-
Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.
+
Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.
Account is sensitive and cannot be delegated
@@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings
Use DES encryption types for this account
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
-Note
DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
+Note
DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
@@ -656,8 +656,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s
-
Windows Update Setting
-
Configuration
+
Windows Update Setting
+
Configuration
Allow Automatic Updates immediate installation
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 4e3f264246..61198672fc 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -2189,7 +2189,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
IIS\_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR\_MachineName account and the IIS\_WPG group with the IIS\_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS\_IUSRS.
-For more information, see [Understanding Built-In User and Group Accounts in IIS 7](http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis).
+For more information, see [Understanding Built-In User and Group Accounts in IIS 7](https://docs.microsoft.com/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis).
This security group has not changed since Windows Server 2008.
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
index 1ef5a24b40..3ad985610a 100644
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ b/windows/security/identity-protection/access-control/dynamic-access-control.md
@@ -1,6 +1,6 @@
---
title: Dynamic Access Control Overview (Windows 10)
-description: Dynamic Access Control Overview
+description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 7e7c2236cd..56e4f2edf2 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -297,9 +297,9 @@ The following table shows the Group Policy and registry settings that are used t
-
No.
-
Setting
-
Detailed Description
+
No.
+
Setting
+
Detailed Description
@@ -334,7 +334,7 @@ The following table shows the Group Policy and registry settings that are used t
@@ -444,9 +444,9 @@ The following table shows the Group Policy settings that are used to deny networ
-
No.
-
Setting
-
Detailed Description
+
No.
+
Setting
+
Detailed Description
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index b4bbe78a9d..32bf1aabaf 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -21,13 +21,14 @@ ms.custom:
# Manage Windows Defender Credential Guard
**Applies to**
-- Windows 10
+- Windows 10 <=1903 Enterprise and Education SKUs
+- Windows 10 >=1909
- Windows Server 2016
- Windows Server 2019
## Enable Windows Defender Credential Guard
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](dg-readiness-tool.md). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
@@ -36,9 +37,13 @@ The same set of procedures used to enable Windows Defender Credential Guard on p
You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
+
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
+
3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
+
4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
+
5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details.
@@ -49,8 +54,10 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
### Enable Windows Defender Credential Guard by using Intune
-1. From **Home** click **Microsoft Intune**
-2. Click **Device configuration**
+1. From **Home**, click **Microsoft Intune**.
+
+2. Click **Device configuration**.
+
3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
> [!NOTE]
@@ -66,6 +73,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows
If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+
> [!NOTE]
> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
@@ -73,22 +81,31 @@ You can do this by using either the Control Panel or the Deployment Image Servic
**Add the virtualization-based security features by using Programs and Features**
1. Open the Programs and Features control panel.
+
2. Click **Turn Windows feature on or off**.
+
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
+
4. Select the **Isolated User Mode** check box at the top level of the feature selection.
+
5. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
1. Open an elevated command prompt.
+
2. Add the Hyper-V Hypervisor by running the following command:
- ```
+
+ ```console
dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
+
3. Add the Isolated User Mode feature by running the following command:
- ```
+
+ ```console
dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
```
+
> [!NOTE]
> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
@@ -100,11 +117,13 @@ You can do this by using either the Control Panel or the Deployment Image Servic
1. Open Registry Editor.
2. Enable virtualization-based security:
+
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
+
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
@@ -120,9 +139,10 @@ You can do this by using either the Control Panel or the Deployment Image Servic
You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool.ps1 -Enable -AutoReboot
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -134,7 +154,9 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot
You can view System Information to check that Windows Defender Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
+
2. Click **System Summary**.
+
3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**.
Here's an example:
@@ -143,9 +165,10 @@ You can view System Information to check that Windows Defender Credential Guard
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool_v3.6.ps1 -Ready
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -165,7 +188,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
- - You can use Windows Powershell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated Powershell window and run the following command:
+ - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
```powershell
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
@@ -195,7 +218,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p
4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
- ``` syntax
+ ```console
mountvol X: /s
copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
@@ -232,9 +255,10 @@ For more info on virtualization-based security and HVCI, see [Enable virtualizat
You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```
+```console
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
+
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
@@ -243,7 +267,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
From the host, you can disable Windows Defender Credential Guard for a virtual machine:
-``` PowerShell
+```powershell
Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
```
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 7f5c4ffe62..cdf9c3ec9a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -98,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 or Windows Server 2016.
Important: Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
@@ -133,5 +133,5 @@ The following table lists qualifications for Windows 10, version 1703, which are
| Protections for Improved Security | Description | Security Benefits
|---|---|---|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**: • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. • UEFI runtime service must meet these requirements: - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. - PE sections need to be page-aligned in memory (not required for in non-volatile storage). - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and executable • Do not attempt to directly modify executable system memory • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**: • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. • UEFI runtime service must meet these requirements: - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. - PE sections need to be page-aligned in memory (not required for in non-volatile storage). - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and executable • Do not attempt to directly modify executable system memory • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. | • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index ae96f09ed1..e609c9469d 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -657,7 +657,7 @@ function PrintHardwareReq
{
LogAndConsole "###########################################################################"
LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard"
- LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home"
+ LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT"
LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT"
LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr"
LogAndConsole "########################################################################### `n"
@@ -735,7 +735,7 @@ function CheckOSSKU
$osname = $((gwmi win32_operatingsystem).Name).ToLower()
$_SKUSupported = 0
Log "OSNAME:$osname"
- $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")
+ $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server")
$HLKAllowed = @("microsoft windows 10 pro")
foreach ($SKUent in $SKUarray)
{
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index eff4754797..8a678b6ff4 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -11,7 +11,6 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.prod: w10
ms.technology: windows
-ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.date: 07/27/2017
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
index 4579829e90..7cf7eeccbf 100644
--- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
+++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
@@ -1,6 +1,6 @@
---
title: WebAuthn APIs
-description: Enabling password-less authentication for your sites and apps
+description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 916d1cf629..215c86beea 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,6 +1,6 @@
---
title: Multifactor Unlock
-description: Multifactor Unlock
+description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index d4c919784d..4486823bc5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -145,6 +145,9 @@ Windows Server 2012 or later domain controllers support Group Managed Service Ac
GMSA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GMSA. Before you can create a GMSA, you must first create a root key for the service. You can skip this if your environment already uses GMSA.
+>[!NOTE]
+> If the [default object creation quota for security principles](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/d55ca655-109b-4175-902a-3e9d60833012) is set, you will need to change it for the Group Managed Service Account in order to be able to register new devices.
+
#### Create KDS Root Key
Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 6e1445768e..0686de8a9a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -44,11 +44,12 @@ Windows Hello for Business uses asymmetric keys as user credentials (rather than
Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.
-1. Open an elevated command prompt.
-2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
-3. To update the schema, type ```adprep /forestprep```.
-4. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema.
-5. Close the Command Prompt and sign-out.
+1. Mount the ISO file (or insert the DVD) containing the Windows Server 2016 or later installation media.
+2. Open an elevated command prompt.
+3. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
+4. To update the schema, type ```adprep /forestprep```.
+5. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema.
+6. Close the Command Prompt and sign-out.
## Create the KeyCredential Admins Security Global Group
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 7189408b7b..f3f064b1d1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Deployment Guide
-description: A guide to Windows Hello for Business deployment
+description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
@@ -52,7 +52,7 @@ The trust model determines how you want users to authenticate to the on-premises
* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
> [!NOTE]
-> Remote Desktop Protocol (RDP) does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time. See [Remote Desktop](hello-feature-remote-desktop.md) to learn more.
+> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
Following are the various deployment guides and models included in this topic:
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 300a074c68..01f18214de 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -98,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0x801C03F0 | There is no key registered for the user. |
| 0x801C03F1 | There is no UPN in the token. |
| 0x801C044C | There is no core window for the current thread. |
+| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. |
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
index fca4b7eaa6..e6d36e6967 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Frequently Asked Questions
-description: Windows Hello for Business FAQ
+description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
@@ -28,7 +28,7 @@ Windows Hello for Business is the modern, two-factor credential for Windows 10.
Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
## Can I use Windows Hello for Business key trust and RDP?
-RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments.
+RDP currently does not support using key based authentication and self signed certificates as supplied credentials. RDP with supplied credentials Windows Hello for Business is currently only supported with certificate based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager?
Windows Hello for Business deployments using Configuration Manager should use the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings).
@@ -77,9 +77,7 @@ Communicating with Azure Active Directory uses the following URLs:
- login.windows.net
If your environment uses Microsoft Intune, you need these additional URLs:
-- enrollment.manage-beta.microsoft.com
- enrollment.manage.microsoft.com
-- portal.manage-beta.microsoft.com
- portal.manage.microsoft.com
## What is the difference between non-destructive and destructive PIN reset?
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 015331499c..028fdd4868 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -1,6 +1,6 @@
---
title: Dual Enrollment
-description: Dual Enrollment
+description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, dual enrollment,
ms.prod: w10
ms.mktglfcycl: deploy
@@ -49,7 +49,7 @@ In this task you will
### Configure Active Directory to support Domain Administrator enrollment
-The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
+The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 33a9c450e1..f6a0ebc776 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,6 +1,6 @@
---
title: Pin Reset
-description: Pin Reset
+description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.
keywords: identity, PIN, Hello, passport, WHFB, hybrid, cert-trust, device, reset
ms.prod: w10
ms.mktglfcycl: deploy
@@ -84,7 +84,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
1. In the **Custom OMA-URI Settings** blade, Click **Add**.
1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
-1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile.
+1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 981587e970..0ebcd33ec5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,6 +1,6 @@
---
title: Remote Desktop
-description: Remote Desktop
+description: Learn how Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 09/09/2019
+ms.date: 09/16/2020
ms.reviewer:
---
@@ -27,9 +27,9 @@ ms.reviewer:
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
- Certificate trust deployments
-Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.
+Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
-Microsoft continues to investigate supporting this feature for key trust deployments in a future release.
+Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release.
## Remote Desktop with Biometrics
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index d9832ef853..d35d4dea64 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Features
-description: Windows Hello for Business Features
+description: Consider additional features you can use after your organization deploys Windows Hello for Business.
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
ms.reviewer:
keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index f220db21f6..0fb161ccb5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -17,7 +17,7 @@ ms.reviewer:
---
# Windows Hello for Business Provisioning
-Applies to:
+Applies to:
- Windows 10
Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index ae11903279..cd9f264b8a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -76,10 +76,12 @@ Certificate authorities write CRL distribution points in certificates as they ar
Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
- The domain controller has the private key for the certificate provided.
-- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**.
+- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**.
- Use the **Kerberos Authentication certificate template** instead of any other older template.
- The domain controller's certificate has the **KDC Authentication** enhanced key usage.
- The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain.
+- The domain controller's certificate's signature hash algorithm is **sha256**.
+- The domain controller's certificate's public key is **RSA (2048 Bits)**.
> [!Tip]
@@ -187,7 +189,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash).
+4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash).
5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
6. Type **.crl** at the end of the text in **Location**. Click **OK**.
@@ -225,7 +227,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
Validate your new CRL distribution point is working.
-1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL.
+1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL.
### Reissue domain controller certificates
@@ -301,35 +303,32 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
Sign-in a workstation with access equivalent to a _domain user_.
-1. Sign-in to the [Azure Portal](https://portal.azure.com/).
-2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
-3. Click **device enrollment**.
-4. Click **Windows enrollment**
-5. Under **Windows enrollment**, click **Windows Hello for Business**.
- 
-6. Under **Priority**, click **Default**.
-7. Under **All users and all devices**, click **Settings**.
-8. Select **Enabled** from the **Configure Windows Hello for Business** list.
-9. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys.
-10. Type the desired **Minimum PIN length** and **Maximum PIN length**.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+2. Select **Devices**.
+3. Choose **Enroll devices**.
+4. Select **Windows enrollment**.
+5. Under **Windows enrollment**, select **Windows Hello for Business**.
+ 
+6. Select **Enabled** from the **Configure Windows Hello for Business** list.
+7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
+8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
> [!IMPORTANT]
- > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6.
+ > The default minimum PIN length for Windows Hello for Business on Windows 10 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six.
-
-
-11. Select the appropriate configuration for the following settings.
+9. Select the appropriate configuration for the following settings:
* **Lowercase letters in PIN**
* **Uppercase letters in PIN**
* **Special characters in PIN**
* **PIN expiration (days)**
* **Remember PIN history**
+
> [!NOTE]
> The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
-12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
-13. Select **No** to **Allow phone sign-in**. This feature has been deprecated.
-14. Click **Save**
-15. Sign-out of the Azure portal.
+10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
+11. Select **No** to **Allow phone sign-in**. This feature has been deprecated.
+12. Choose **Save**.
+13. Sign out of the Microsoft Endpoint Manager admin center.
> [!IMPORTANT]
> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index c2550cdfa7..e5664fdeb0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Trust New Installation (Windows Hello for Business)
-description: Windows Hello for Business Hybrid baseline deployment
+description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust depoyments rely on.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index ea04aadb72..2857501f75 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -1,6 +1,6 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
-description: Hybrid Certificate Trust Deployment Overview
+description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 9d05788513..c9ea9e18f9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business)
-description: Provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
+description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 00c8e2e6f2..8a9763ebcd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -71,7 +71,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch Powershell as Administrator.
-> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier.
+> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier is equal to 38aa3b87-a06d-4817-b275-7a316988d93b and make a note of the ObjectIdentifier.
> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'.
> 7. Restart the ADFS service.
> 8. On the client: Restart the client. User should be prompted to provision WHFB.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 7576402a17..efeaaacd05 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -65,6 +65,9 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
> [!NOTE]
> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
+> [!NOTE]
+> Transfer the PDC emulator FSMO role to a domain controller running Windows Server 2016 (or later) to be able to search the Key Admins and Enterprise Key Admins groups (domain controllers running previous versions of Windows Server cannot translate the security identifier to a name for these groups).
+
### Section Review
> [!div class="checklist"]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 7c4e019e6d..8a785dcf5f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -46,13 +46,22 @@ By default, the Active Directory Certificate Authority provides and publishes th
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+
8. Close the console.
#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
@@ -66,13 +75,21 @@ The auto-enrollment feature in Windows enables you to effortlessly replace these
Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+
4. Click the **Superseded Templates** tab. Click **Add**.
+
5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
+
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
+
7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
+
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
+
9. Click **OK** and close the **Certificate Templates** console.
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
@@ -95,33 +112,54 @@ Approximately 60 days prior to enrollment agent certificate's expiration, the AD
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority Management** console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
-6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
- **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+
+6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+
+ > [!NOTE]
+ > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
8. On the **Security** tab, click **Add**.
+
9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**.
+
10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
-11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
+11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
12. Close the console.
-#### Creating an Enrollment Agent certificate for typical Service Acconts
+#### Creating an Enrollment Agent certificate for typical Service Accounts
Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
+
9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
10. Close the console.
### Creating Windows Hello for Business authentication certificate template
@@ -131,28 +169,68 @@ During Windows Hello for Business provisioning, the Windows 10, version 1703 cli
Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
-6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
+5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+
+6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+
8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box. Type **1** in the text box.
- * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+
+ Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+
9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+
10. On the **Request Handling** tab, select the **Renew with same key** check box.
+
11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
+
12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+
13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
+
14. Click on the **Apply** to save changes and close the console.
#### Mark the template as the Windows Hello Sign-in template
Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
+
1. Open an elevated command prompt.
+
2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
+If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example:
+
+```console
+CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
+
+Old Value:
+msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
+CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+TEMPLATE_SERVER_VER_WINBLUE< [!NOTE]
> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
@@ -165,11 +243,17 @@ The certificate authority may only issue certificates for certificate templates
#### Publish Certificate Templates to the Certificate Authority
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
-5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
+5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
6. Close the console.
@@ -182,9 +266,13 @@ The newly created domain controller authentication certificate template supersed
Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
+
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
@@ -214,4 +302,3 @@ Sign-in to the certificate authority or management workstation with _Enterprise
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: PKI (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index fba1fd76f8..2f6f72752a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
-description: Configuring Windows Hello for Business settings in hybrid certificate trust deployment.
+description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 3cb290695f..51e6922080 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Key Trust New Installation
-description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations.
+description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 5a7e9bb20a..fa3b1d7a97 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,6 +1,6 @@
---
title: Hybrid Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
-description: Prerequisites for hybrid Windows Hello for Business deployments using key trust.
+description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 1f4f6b976d..63743f3ea2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -1,6 +1,6 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
-description: Hybrid Key Trust Deployment Overview
+description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 85992e20d5..73e002c7c2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business key trust Provisioning (Windows Hello for Business)
-description: Provisioning for hybrid key trust deployments of Windows Hello for Business.
+description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
@@ -27,7 +27,7 @@ ms.reviewer:
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
-
+
The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 440ab1ea70..d7355b0c32 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -74,9 +74,12 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
+> [!NOTE]
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](https://docs.microsoft.com/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#policy-conflicts-from-multiple-policy-sources)
+
#### Enable Windows Hello for Business
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
+The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index d8eb2ac3ed..9103431811 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Hybrid Windows Hello for Business key trust Settings
-description: Configuring Windows Hello for Business settings in hybrid key trust deployment.
+description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index cb6105c66b..51d246f3f4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -8,7 +8,6 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
audience: ITPro
-author: mikestephens-MS
ms.author: dolmont
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 6a70672f7a..80d8f81611 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -1,7 +1,7 @@
---
title: Windows Hello for Business Overview (Windows 10)
ms.reviewer: An overview of Windows Hello for Business
-description: An overview of Windows Hello for Business
+description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
@@ -94,8 +94,7 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
-Windows Hello for Business with a key does not support RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments.
-
+Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
## Learn more
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index c3acaa98e3..ea3430b5dd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -1,6 +1,6 @@
---
title: Planning a Windows Hello for Business Deployment
-description: A guide to planning a Windows Hello for Business deployment
+description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: conceptual
-ms.date: 08/19/2018
+ms.date: 09/16/2020
ms.reviewer:
---
# Planning a Windows Hello for Business Deployment
@@ -25,6 +25,8 @@ Congratulations! You are taking the first step forward in helping move your orga
This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
+If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
+
## Using this guide
There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
@@ -91,7 +93,7 @@ The key trust type does not require issuing authentication certificates to end u
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
> [!NOTE]
-> RDP does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time.
+> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
#### Device registration
@@ -166,16 +168,13 @@ Choose the deployment model based on the resources your users access. Use the f
If your organization does not have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet.
-If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users' access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet.
+If your organization is federated with Azure or uses any service, such as AD Connect, Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet.
If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
> [!NOTE]
-> If you're unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.
-> ```Get-AdObject "CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
-> * If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
-> * If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement
-> * If the value begins with **azureADName:** – write **Hybrid** in box **1a**on your planning worksheet.
-> * If the value begins with **enterpriseDrsName:** – write **On-Premises** in box **1a** on your planning worksheet.
+> * Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests".
+> * Migration from on-premise to hybrid deployment will require redeployment.
+
### Trust type
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 00eddf6eee..c53586ff18 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Videos
-description: Windows Hello for Business Videos
+description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png b/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png
new file mode 100644
index 0000000000..d98d871f21
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/event358-2.png b/windows/security/identity-protection/hello-for-business/images/event358-2.png
new file mode 100644
index 0000000000..53fd554323
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/event358-2.png differ
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 57238c3214..dd1b6b18e0 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -1,6 +1,6 @@
---
title: Passwordless Strategy
-description: Reducing Password Usage Surface
+description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
index 3fe33458fc..8ec19c126f 100644
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ b/windows/security/identity-protection/hello-for-business/toc.md
@@ -16,10 +16,10 @@
## [How Windows Hello for Business works](hello-how-it-works.md)
### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive)
-#### [Technology and Terminology](hello-how-it-works-technology.md)
#### [Device Registration](hello-how-it-works-device-registration.md)
#### [Provisioning](hello-how-it-works-provisioning.md)
#### [Authentication](hello-how-it-works-authentication.md)
+#### [Technology and Terminology](hello-how-it-works-technology.md)
## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md)
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 4e95da0531..373339ebcd 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -58,7 +58,7 @@ Use the following table to compare different Remote Desktop connection security
| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
| **Helps prevent** | N/A |
Pass-the-Hash
Use of a credential after disconnection
|
Pass-the-Hash
Use of domain identity during connection
|
-| **Credentials supported from the remote desktop client device** |
Signed on credentials
Supplied credentials
Saved credentials
|
Signed on credentials only |
Signed on credentials
Supplied credentials
Saved credentials
|
+| **Credentials supported from the remote desktop client device** |
Signed on credentials
Supplied credentials
Saved credentials
|
Signed on credentials only |
Signed on credentials
Supplied credentials
Saved credentials
|
| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host’s identity**. |
| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 4a92507705..560f4b240c 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -270,7 +270,7 @@ To better understand each component, review the table below:
-The slider will never turn UAC completely off. If you set it to Never notify, it will:
+The slider will never turn UAC completely off. If you set it to Never notify, it will:
- Keep the UAC service running.
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 15ea04101f..9c9011d7ad 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -14,7 +14,6 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
-ms.localizationpriority: medium
ms.date: 07/27/2017
---
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 22355b9383..6b9868b0f0 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,6 +1,6 @@
---
title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10)
-description: Explains how to secure VPN connections for Diffie Hellman Group 2
+description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 9f6f6fa2a5..3fe2c08d57 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -1,6 +1,6 @@
---
title: VPN authentication options (Windows 10)
-description: tbd
+description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 09ca26d20e..29c8f5e474 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -1,6 +1,6 @@
---
title: VPN auto-triggered profile options (Windows 10)
-description: tbd
+description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -61,13 +61,15 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in
When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers.
-Preserving user Always On preference
+## Preserving user Always On preference
-Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
-Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
-Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
-Value: AutoTriggerDisabledProfilesList
-Type: REG_MULTI_SZ
+Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value **AutoTriggerDisabledProfilesList**.
+
+Should a management tool remove or add the same profile name back and set **AlwaysOn** to **true**, Windows will not check the box if the profile name exists in the following registry value in order to preserve user preference.
+
+**Key:** HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
+**Value:** AutoTriggerDisabledProfilesList
+**Type:** REG_MULTI_SZ
## Trusted network detection
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index c72139b6db..cb543ad1cd 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -1,6 +1,6 @@
---
title: Windows 10 VPN technical guide (Windows 10)
-description: Use this guide to configure VPN deployment for Windows 10.
+description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index 5c277ef964..6ff26370e3 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -1,6 +1,6 @@
---
title: VPN name resolution (Windows 10)
-description: tbd
+description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 3d0fdc211e..19df534358 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -62,8 +62,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro
- Eap
- Eap
+ Eap
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index c8ce525e53..416bc57d04 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -1,6 +1,6 @@
---
title: VPN routing decisions (Windows 10)
-description: tbd
+description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index 0ac0b47d38..d8f4768540 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -1,6 +1,6 @@
---
title: VPN security features (Windows 10)
-description: tbd
+description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md
new file mode 100644
index 0000000000..46153786b9
--- /dev/null
+++ b/windows/security/includes/microsoft-defender.md
@@ -0,0 +1,14 @@
+---
+title: Microsoft Defender rebrand guidance
+description: A note in regard to the Microsoft Defender rebrand.
+ms.date: 09/21/2020
+ms.reviewer:
+manager: dansimp
+ms.author: daniha
+author: danihalfin
+ms.prod: w10
+ms.topic: include
+---
+
+> [!IMPORTANT]
+> Welcome to **Microsoft Defender for Endpoint**, the new name for **Microsoft Defender Advanced Threat Protection**. Read more about this and other updates [here](https://www.microsoft.com/security/blog/?p=91813). We'll be updating names in products and in the docs in the near future.
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
index 77709b6ef2..7dd0eb0898 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BCD settings and BitLocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index 65e915649a..d6bad09f03 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker and Active Directory Domain Services (AD DS) FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 96fc9bd8c2..dc0d879c78 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -15,11 +15,13 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker basic deployment
**Applies to**
+
- Windows 10
This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
@@ -30,8 +32,9 @@ BitLocker provides full volume encryption (FVE) for operating system volumes, as
In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
-> **Note:** For more info about using this tool, see [Bdehdcfg](https://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
-
+> [!NOTE]
+> For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
+
BitLocker encryption can be done using the following methods:
- BitLocker control panel
@@ -47,52 +50,16 @@ To start encryption for a volume, select **Turn on BitLocker** for the appropria
### Operating system volume
Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
-
-
-
-
-
-
-
-
Requirement
-
Description
-
-
-
-
-
Hardware configuration
-
The computer must meet the minimum requirements for the supported Windows versions.
-
-
-
Operating system
-
BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.
-
-
-
Hardware TPM
-
TPM version 1.2 or 2.0
-
A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.
-
-
-
BIOS configuration
-
-
A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
-
The boot order must be set to start first from the hard disk, and not the USB or CD drives.
-
The firmware must be able to read from a USB flash drive during startup.
-
-
-
-
File system
-
For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
-
For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
-
For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.
-
-
-
Hardware encrypted drive prerequisites (optional)
-
To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.
-
-
-
-
+
+|Requirement|Description|
+|--- |--- |
+|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
+|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.|
+|Hardware TPM|TPM version 1.2 or 2.0.
A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
+|BIOS configuration|
A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
The boot order must be set to start first from the hard disk, and not the USB or CD drives.
The firmware must be able to read from a USB flash drive during startup.
|
+|File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive. For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
+|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
+
Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive.
@@ -105,8 +72,9 @@ When the recovery key has been properly stored, the BitLocker Drive Encryption W
It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option.
-> **Note:** Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
-
+> [!NOTE]
+> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
+
Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
@@ -142,52 +110,20 @@ The following table shows the compatibility matrix for systems that have been Bi
Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
-
-
-
-
-
-
-
-
-
-
Encryption Type
-
Windows 10 and Windows 8.1
-
Windows 8
-
Windows 7
-
-
-
Fully encrypted on Windows 8
-
Presents as fully encrypted
-
N/A
-
Presented as fully encrypted
-
-
-
Used Disk Space Only encrypted on Windows 8
-
Presents as encrypt on write
-
N/A
-
Presented as fully encrypted
-
-
-
Fully encrypted volume from Windows 7
-
Presents as fully encrypted
-
Presented as fully encrypted
-
N/A
-
-
-
Partially encrypted volume from Windows 7
-
Windows 10 and Windows 8.1 will complete encryption regardless of policy
-
Windows 8 will complete encryption regardless of policy
-
N/A
-
-
-
-
+|||||
+|--- |--- |--- |--- |
+|Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7|
+|Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted|
+|Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|
+|Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
+|Partially encrypted volume from Windows 7|Windows 10 and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
## Encrypting volumes using the manage-bde command line interface
-Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
+
Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
+
Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
### Operating system volume
@@ -245,6 +181,7 @@ manage-bde -on C:
## Encrypting volumes using the BitLocker Windows PowerShell cmdlets
Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
+
@@ -371,28 +308,38 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
-
-Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
-A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
-Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
-> **Note:** In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
-
-`Get-BitLockerVolume C: | fl`
+Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
+
+A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
+
+Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+
+> [!NOTE]
+> In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
+
+```powershell
+Get-BitLockerVolume C: | fl
+```
If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
+
```powershell
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
+
Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
Using this information, we can then remove the key protector for a specific volume using the command:
+
```powershell
Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
```
-> **Note:** The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
-
+
+> [!NOTE]
+> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
+
### Operating system volume
Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
@@ -401,11 +348,13 @@ To enable BitLocker with just the TPM protector. This can be done using the comm
```powershell
Enable-BitLocker C:
```
+
The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
```powershell
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest
```
+
### Data volume
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins.
@@ -415,33 +364,40 @@ $pw = Read-Host -AsSecureString
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
+
### Using a SID based protector in Windows PowerShell
The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
->**Warning:** The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
-
+> [!WARNING]
+> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
+
To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
```
+
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
```powershell
-get-aduser -filter {samaccountname -eq "administrator"}
+Get-ADUser -filter {samaccountname -eq "administrator"}
```
-> **Note:** Use of this command requires the RSAT-AD-PowerShell feature.
->
+
+> [!NOTE]
+> Use of this command requires the RSAT-AD-PowerShell feature.
+>
> **Tip:** In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
-
+
In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
```powershell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup ""
```
-> **Note:** Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
-
+
+> [!NOTE]
+> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
+
## Checking BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
@@ -456,7 +412,7 @@ Checking BitLocker status with the control panel is the most common method used
| **Off**| BitLocker is not enabled for the volume |
| **Suspended** | BitLocker is suspended and not actively protecting the volume |
| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
-
+
If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
@@ -472,8 +428,10 @@ To check the status of a volume using manage-bde, use the following command:
```powershell
manage-bde -status
```
-> **Note:** If no volume letter is associated with the -status command, all volumes on the computer display their status.
-
+
+> [!NOTE]
+> If no volume letter is associated with the -status command, all volumes on the computer display their status.
+
### Checking BitLocker status with Windows PowerShell
Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
@@ -483,6 +441,7 @@ Using the Get-BitLockerVolume cmdlet, each volume on the system will display its
```powershell
Get-BitLockerVolume -Verbose | fl
```
+
This command will display information about the encryption method, volume type, key protectors, etc.
### Provisioning BitLocker during operating system deployment
@@ -509,11 +468,13 @@ Decrypting volumes using manage-bde is very straightforward. Decryption with man
```powershell
manage-bde -off C:
```
+
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command:
```powershell
manage-bde -status C:
```
+
### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
@@ -523,16 +484,16 @@ Using the Disable-BitLocker command, they can remove all protectors and encrypti
```powershell
Disable-BitLocker
```
+
If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
```powershell
Disable-BitLocker -MountPoint E:,F:,G:
```
+
## See also
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker overview](bitlocker-overview.md)
-
-
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index ab57ef7b30..6de06c740a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker Countermeasures
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
index f8fa65855e..ea8ab3bf7a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker frequently asked questions (FAQ)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 7560239ff8..34008453ad 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -14,6 +14,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
+ms.custom: bitlocker
---
# Overview of BitLocker Device Encryption in Windows 10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
index 3c5449bfe9..3679c9fde7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
@@ -15,9 +15,10 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
-# BitLocker frequently asked questions (FAQ)
+# BitLocker frequently asked questions (FAQ) resources
**Applies to**
- Windows 10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 436ef15fe7..d9658a3113 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -15,24 +15,27 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/17/2019
+ms.custom: bitlocker
---
# BitLocker Group Policy settings
**Applies to**
-- Windows 10
+
+- Windows 10
This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
To control what drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed.
->**Note:** A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings).
+> [!NOTE]
+> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings).
BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**.
Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance.
If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group
-Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
+Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
## BitLocker Group Policy settings
@@ -99,98 +102,43 @@ The following policies are used to support customized deployment scenarios in yo
This policy setting allows users on devices that are compliant with Modern Standby or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.
-
-
-
Introduced
-
Windows 10, version 1703
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware.
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.|
+|Introduced|Windows 10, version 1703|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.|
+|When enabled|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.|
+|When disabled or not configured|The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.|
-
-
-
-
When enabled
-
Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.
+**Reference**
-Reference
-
-The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby.
-But visually impaired users have no audible way to know when to enter a PIN.
+The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN.
This setting enables an exception to the PIN-required policy on secure hardware.
### Allow network unlock at startup
This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
+
This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.
-
-
-
When disabled or not configured
-
Clients cannot create and use Network Key Protectors
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.|
+|When disabled or not configured|Clients cannot create and use Network Key Protectors|
-Reference
+**Reference**
To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock.
->**Note:** For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.
+> [!NOTE]
+> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.
For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
@@ -198,46 +146,17 @@ For more information about Network Unlock, see [BitLocker: How to enable Network
This policy setting is used to control which unlock options are available for operating system drives.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
If one authentication method is required, the other methods cannot be allowed.
-
Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-
-
-
When enabled
-
Users can configure advanced startup options in the BitLocker Setup Wizard.
-
-
-
When disabled or not configured
-
Users can configure only basic options on computers with a TPM.
-
Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|If one authentication method is required, the other methods cannot be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.|
+|When enabled|Users can configure advanced startup options in the BitLocker Setup Wizard.|
+|When disabled or not configured|Users can configure only basic options on computers with a TPM.
Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.|
-Reference
+**Reference**
If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
@@ -275,101 +194,46 @@ There are four options for TPM-enabled computers or devices:
This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.
-
-
-
When disabled or not configured
-
Enhanced PINs will not be used.
-
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.|
+|When disabled or not configured|Enhanced PINs will not be used.|
**Reference**
Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
->**Important:** Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
+> [!IMPORANT]
+> Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
### Configure minimum PIN length for startup
This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.
-
-
-
When disabled or not configured
-
Users can configure a startup PIN of any length between 6 and 20 digits.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.|
+|When disabled or not configured|Users can configure a startup PIN of any length between 6 and 20 digits.|
-Reference
+**Reference**
-This policy setting is applied when you turn on BitLocker.
-The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
@@ -388,61 +252,33 @@ If the minimum PIN length is reduced from the default of six characters, then th
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
-| | |
-| - | - |
-| **Policy description** | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
-| **Introduced** | Windows 10, version 1703 |
-| **Drive type** | Operating system drives |
-| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
-| **Conflicts** | None |
-| **When enabled** | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
-| **When disabled or not configured** | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
+| | |
+|---------|---------|
+|Policy description|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.|
+|Introduced|Windows 10, version 1703|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|Every time the user locks the scree, DMA will be blocked on hot pluggable PCI ports until the user signs in again.|
+|When disabled or not configured|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
**Reference**
-This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105/windows-10-update-kb4093105).
+This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105).
### Disallow standard users from changing the PIN or password
This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
Standard users are not allowed to change BitLocker PINs or passwords.
-
-
-
When disabled or not configured
-
Standard users are permitted to change BitLocker PINs or passwords.
-
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|Standard users are not allowed to change BitLocker PINs or passwords.|
+|When disabled or not configured|Standard users are permitted to change BitLocker PINs or passwords.|
**Reference**
@@ -452,55 +288,22 @@ To change the PIN or password, the user must be able to provide the current PIN
This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
Passwords cannot be used if FIPS-compliance is enabled.
-
-Note
The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
-
-
-
-
-
-
-
When enabled
-
Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity.
-
-
-
When disabled or not configured
-
The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.
-
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|Passwords cannot be used if FIPS-compliance is enabled.
**NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.|
+|When enabled|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.|
+|When disabled or not configured|The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.|
**Reference**
If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
@@ -515,44 +318,17 @@ When this policy setting is enabled, you can set the option **Configure password
This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.
-
-
-
Introduced
-
Windows Server 2008 and Windows Vista
-
-
-
Drive type
-
Operating system drives (Windows Server 2008 and Windows Vista)
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
If you choose to require an additional authentication method, other authentication methods cannot be allowed.
-
-
-
When enabled
-
The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.
-
-
-
When disabled or not configured
-
The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.|
+|Introduced|Windows Server 2008 and Windows Vista|
+|Drive type|Operating system drives (Windows Server 2008 and Windows Vista)|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|If you choose to require an additional authentication method, other authentication methods cannot be allowed.|
+|When enabled|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.|
+|When disabled or not configured|The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.|
-Reference
+**Reference**
On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
@@ -579,97 +355,38 @@ To hide the advanced page on a TPM-enabled computer or device, set these options
This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Fixed data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives
-
-
-
Conflicts
-
To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.
-
-
-
When enabled
-
Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box.
-
-
-
When disabled
-
Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives.
-
-
-
When not configured
-
Smart cards can be used to authenticate user access to a BitLocker-protected drive.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.|
+|When enabled|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on fixed data drives** check box.|
+|When disabled|Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives.|
+|When not configured|Smart cards can be used to authenticate user access to a BitLocker-protected drive.|
-Reference
+**Reference**
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
### Configure use of passwords on fixed data drives
This policy setting is used to require, allow, or deny the use of passwords with fixed data drives.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Fixed data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives
-
-
-
Conflicts
-
To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled.
-
-
-
When enabled
-
Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity.
-
-
-
When disabled
-
The user is not allowed to use a password.
-
-
-
When not configured
-
Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.|
+|When enabled|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
+|When disabled|The user is not allowed to use a password.|
+|When not configured|Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.|
-Reference
+**Reference**
When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
@@ -679,115 +396,58 @@ When set to **Do not allow complexity**, no password complexity validation is pe
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled.
This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that is used to validate password complexity is located on the domain controllers, local user accounts cannot access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive.
Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
->**Important:** Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+> [!IMPORTANT]
+> Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
### Configure use of smart cards on removable data drives
This policy setting is used to require, allow, or deny the use of smart cards with removable data drives.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Removable data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
-
-
-
Conflicts
-
To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.
-
-
-
When enabled
-
Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box.
-
-
-
When disabled or not configured
-
Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.
-
-
-
When not configured
-
Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.|
+|When enabled|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on removable data drives** check box.|
+|When disabled or not configured|Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.|
+|When not configured|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.|
-Reference
+**Reference**
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
### Configure use of passwords on removable data drives
This policy setting is used to require, allow, or deny the use of passwords with removable data drives.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Removable data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
-
-
-
Conflicts
-
To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.
-
-
-
When enabled
-
Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity.
-
-
-
When disabled
-
The user is not allowed to use a password.
-
-
-
When not configured
-
Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.
-
-
-
-
-Reference
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.|
+|When enabled|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
+|When disabled|The user is not allowed to use a password.|
+|When not configured|Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.|
+**Reference**
If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled.
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
@@ -797,52 +457,26 @@ When set to **Allow complexity**, a connection to a domain controller will be at
When set to **Do not allow complexity**, no password complexity validation will be done.
->**Note:** Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+> [!NOTE]
+> Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
-For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://technet.microsoft.com/library/jj852211.aspx).
+For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).
### Validate smart card certificate usage rule compliance
This policy setting is used to determine what certificate to use with BitLocker.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.
The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate.
-
-
-
When disabled or not configured
-
The default object identifier is used.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed and removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|The object identifier that is specified in the **Object identifier** setting must match the object identifier in the smart card certificate.|
+|When disabled or not configured|The default object identifier is used.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -850,50 +484,24 @@ The object identifier is specified in the enhanced key usage (EKU) of a certific
The default object identifier is 1.3.6.1.4.1.311.67.1.1.
->**Note:** BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
+> [!NOTE]
+> BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
### Enable use of BitLocker authentication requiring preboot keyboard input on slates
This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drive
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
Devices must have an alternative means of preboot input (such as an attached USB keyboard).
-
-
-
When disabled or not configured
-
The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive|
+|Conflicts|None|
+|When enabled|Devices must have an alternative means of preboot input (such as an attached USB keyboard).|
+|When disabled or not configured|The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.|
-Reference
+**Reference**
The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
@@ -911,44 +519,17 @@ If you do not enable this policy setting, the following options in the **Require
This policy setting is used to require encryption of fixed drives prior to granting Write access.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Fixed data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives
-
-
-
Conflicts
-
See the Reference section for a description of conflicts.
-
-
-
When enabled
-
All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.
-
-
-
When disabled or not configured
-
All fixed data drives on the computer are mounted with Read and Write access.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|See the Reference section for a description of conflicts.|
+|When enabled|All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.|
+|When disabled or not configured|All fixed data drives on the computer are mounted with Read and Write access.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -966,48 +547,22 @@ Conflict considerations include:
This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Removable data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
-
-
-
Conflicts
-
See the Reference section for a description of conflicts.
-
-
-
When enabled
-
All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.
-
-
-
When disabled or not configured
-
All removable data drives on the computer are mounted with Read and Write access.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|See the Reference section for a description of conflicts.|
+|When enabled|All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.|
+|When disabled or not configured|All removable data drives on the computer are mounted with Read and Write access.|
-Reference
+**Reference**
If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
->**Note:** You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
+> [!NOTE]
+> You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
Conflict considerations include:
@@ -1019,52 +574,22 @@ Conflict considerations include:
This policy setting is used to prevent users from turning BitLocker on or off on removable data drives.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control the use of BitLocker on removable data drives.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Removable data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
You can select property settings that control how users can configure BitLocker.
-
-
-
When disabled
-
Users cannot use BitLocker on removable data drives.
-
-
-
When not configured
-
Users can use BitLocker on removable data drives.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control the use of BitLocker on removable data drives.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|None|
+|When enabled|You can select property settings that control how users can configure BitLocker.|
+|When disabled|Users cannot use BitLocker on removable data drives.|
+|When not configured|Users can use BitLocker on removable data drives.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
-For information about suspending BitLocker protection, see [BitLocker Basic Deployment](https://technet.microsoft.com/library/dn383581.aspx).
+For information about suspending BitLocker protection, see [BitLocker Basic Deployment](bitlocker-basic-deployment.md).
The options for choosing property settings that control how users can configure BitLocker are:
@@ -1075,44 +600,17 @@ The options for choosing property settings that control how users can configure
This policy setting is used to control the encryption method and cipher strength.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control the encryption method and strength for drives.
You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.
-
-
-
When disabled or not configured
-
Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control the encryption method and strength for drives.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.|
+|When disabled or not configured|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.|
-Reference
+**Reference**
The values of this policy determine the strength of the cipher that BitLocker uses for encryption.
Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
@@ -1123,7 +621,8 @@ For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the d
Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
->**Warning:** This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
+> [!WARNING]
+> This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script.
@@ -1131,51 +630,21 @@ When this policy setting is disabled or not configured, BitLocker will use the d
This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Fixed data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.
-
-
-
When disabled
-
BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.
-
-
-
When not configured
-
BitLocker software-based encryption is used irrespective of hardware-based encryption ability.
-
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|None|
+|When enabled|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
+|When disabled|BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
+|When not configured|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
-Reference
+**Reference**
->**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+> [!NOTE]
+> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
@@ -1186,52 +655,23 @@ The encryption algorithm that is used by hardware-based encryption is set when t
This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.
-
-
-
When disabled
-
BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.
-
-
-
When not configured
-
BitLocker software-based encryption is used irrespective of hardware-based encryption ability.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
+|When disabled|BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
+|When not configured|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
-Reference
+**Reference**
If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
->**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+> [!NOTE]
+> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
@@ -1242,52 +682,23 @@ The encryption algorithm that is used by hardware-based encryption is set when t
This policy controls how BitLocker reacts to encrypted drives when they are used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Removable data drive
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.
-
-
-
When disabled
-
BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.
-
-
-
When not configured
-
BitLocker software-based encryption is used irrespective of hardware-based encryption ability.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Removable data drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|None|
+|When enabled|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
+|When disabled|BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
+|When not configured|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
-Reference
+**Reference**
If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
->**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+> [!NOTE]
+> The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
@@ -1298,192 +709,86 @@ The encryption algorithm that is used by hardware-based encryption is set when t
This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure the encryption type that is used by BitLocker.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Fixed data drive
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.
-
-
-
When disabled or not configured
-
The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure the encryption type that is used by BitLocker.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Fixed data drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|None|
+|When enabled|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.|
+|When disabled or not configured|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
->**Note:** This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+> [!NOTE]
+> This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
-For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
### Enforce drive encryption type on operating system drives
This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure the encryption type that is used by BitLocker.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drive
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.
-
-
-
When disabled or not configured
-
The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure the encryption type that is used by BitLocker.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.|
+|When disabled or not configured|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
->**Note:** This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+> [!NOTE]
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
-For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
### Enforce drive encryption type on removable data drives
This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure the encryption type that is used by BitLocker.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Removable data drive
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.
-
-
-
When disabled or not configured
-
The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure the encryption type that is used by BitLocker.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Removable data drive|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|None|
+|When enabled|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.|
+|When disabled or not configured|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
->**Note:** This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+> [!NOTE]
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
-For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
### Choose how BitLocker-protected operating system drives can be recovered
This policy setting is used to configure recovery methods for operating system drives.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-
When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting.
-
-
-
When enabled
-
You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.
-
-
-
When disabled or not configured
-
The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.|
+|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.|
+|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -1500,50 +805,24 @@ In **Save BitLocker recovery information to Active Directory Domain Services**,
Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.
+> [!NOTE]
+> If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.
### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.
-
-
-
Introduced
-
Windows Server 2008 and Windows Vista
-
-
-
Drive type
-
Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista
This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.
-
-
-
When enabled
-
You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data.
-
-
-
When disabled or not configured
-
The BitLocker Setup Wizard presents users with ways to store recovery options.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.|
+|Introduced|Windows Server 2008 and Windows Vista|
+|Drive type|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the **Do not allow** option for both user recovery options, you must enable the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting to prevent a policy error.|
+|When enabled|You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data.|
+|When disabled or not configured|The BitLocker Setup Wizard presents users with ways to store recovery options.|
-Reference
+**Reference**
This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.
@@ -1551,53 +830,28 @@ Two recovery options can be used to unlock BitLocker-encrypted data in the absen
Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
-> **Important:** If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
+> [!IMPORTANT]
+> If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
> The 48-digit recovery password is not available in FIPS-compliance mode.
->
-> **Important:** To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
+
+> [!IMPORTANT]
+> To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.
-
-
-
Introduced
-
Windows Server 2008 and Windows Vista
-
-
-
Drive type
-
Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.
BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.
-
-
-
When disabled or not configured
-
BitLocker recovery information is not backed up to AD DS.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.|
+|Introduced|Windows Server 2008 and Windows Vista|
+|Drive type|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.|
+|When disabled or not configured|BitLocker recovery information is not backed up to AD DS.|
-Reference
+**Reference**
This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
@@ -1618,92 +872,38 @@ For more information about this setting, see [TPM Group Policy settings](/window
This policy setting is used to configure the default folder for recovery passwords.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.
You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.
-
-
-
When disabled or not configured
-
The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.|
+|Introduced|Windows Vista|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.|
+|When disabled or not configured|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
->**Note:** This policy setting does not prevent the user from saving the recovery password in another folder.
+> [!NOTE]
+> This policy setting does not prevent the user from saving the recovery password in another folder.
### Choose how BitLocker-protected fixed drives can be recovered
This policy setting is used to configure recovery methods for fixed data drives.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Fixed data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives
-
-
-
Conflicts
-
You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-
When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.
-
-
-
When enabled
-
You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.
-
-
-
When disabled or not configured
-
The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.|
+|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.|
+|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -1716,55 +916,29 @@ Select **Omit recovery options from the BitLocker setup wizard** to prevent user
In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
-For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx).
+For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde).
Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
+> [!NOTE]
+> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
### Choose how BitLocker-protected removable drives can be recovered
This policy setting is used to configure recovery methods for removable data drives.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Removable data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
-
-
-
Conflicts
-
You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
-
When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.
-
-
-
When enabled
-
You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.
-
-
-
When disabled or not configured
-
The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
+When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.|
+|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.|
+|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker.
@@ -1778,50 +952,24 @@ In **Save BitLocker recovery information to Active Directory Domain Services**,
Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
+> [!NOTE]
+> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
### Configure the pre-boot recovery message and URL
This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.
-
-
-
Introduced
-
Windows 10
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option.
-
-
-
When disabled or not configured
-
If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.|
+|Introduced|Windows 10|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL|
+|Conflicts|None|
+|When enabled|The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the **Use default recovery message and URL** option.|
+|When disabled or not configured|If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.|
-Reference
+**Reference**
Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key.
@@ -1831,111 +979,59 @@ Once you enable the setting you have three options:
- If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
- If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery screen.
-> **Important:** Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
->
-> **Important:** Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
+> [!IMPORTANT]
+> Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
+
+> [!IMPORTANT]
+> Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
### Allow Secure Boot for integrity validation
This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
All drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.
-
-
-
When disabled
-
BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|If you enable **Allow Secure Boot for integrity validation**, make sure the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.|
+|When enabled or not configured|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.|
+|When disabled|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.|
-Reference
+**Reference**
Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
->**Warning:** Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
+> [!WARNING]
+> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
### Provide the unique identifiers for your organization
This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.
Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer.
-
-
-
When enabled
-
You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.
-
-
-
When disabled or not configured
-
The identification field is not required.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer.|
+|When enabled|You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.|
+|When disabled or not configured|The identification field is not required.|
-Reference
+**Reference**
-These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool.
+These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
-For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
+For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations.
-You can configure the identification fields on existing drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool.
+You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
@@ -1945,44 +1041,17 @@ Multiple values separated by commas can be entered in the identification and all
This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.
The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.
-
-
-
When disabled or not configured
-
BitLocker secrets are removed from memory when the computer restarts.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.|
+|Introduced|Windows Vista|
+|Drive type|All drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|Conflicts|None|
+|When enabled|The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.|
+|When disabled or not configured|BitLocker secrets are removed from memory when the computer restarts.|
-Reference
+**Reference**
This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
@@ -1990,48 +1059,22 @@ This policy setting is applied when you turn on BitLocker. BitLocker secrets inc
This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.
-
-
-
When disabled or not configured
-
The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
+|When disabled or not configured|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-Reference
+**Reference**
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
->**Important:** This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
+> [!IMPORTANT]
+> This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
@@ -2043,7 +1086,8 @@ A platform validation profile consists of a set of PCR indices that range from 0
- Boot Manager (PCR 10)
- BitLocker Access Control (PCR 11)
->**Note:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> [!NOTE]
+> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
The following list identifies all of the PCRs available:
@@ -2065,44 +1109,17 @@ The following list identifies all of the PCRs available:
This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.
-
-
-
Introduced
-
Windows Server 2008 and Windows Vista
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.
-
-
-
When disabled or not configured
-
The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.|
+|Introduced|Windows Server 2008 and Windows Vista|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
+|When disabled or not configured|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-Reference
+**Reference**
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
@@ -2116,7 +1133,8 @@ A platform validation profile consists of a set of PCR indices that range from 0
- Boot Manager (PCR 10)
- BitLocker Access Control (PCR 11)
->**Note:** The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
+> [!NOTE]
+> The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
The following list identifies all of the PCRs available:
@@ -2134,56 +1152,29 @@ The following list identifies all of the PCRs available:
- PCR 11: BitLocker access control
- PCR 12 - 23: Reserved for future use
->**Warning:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> [!WARNING]
+> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
### Configure TPM platform validation profile for native UEFI firmware configurations
This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
-
If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.
Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.
-
-
-
When disabled or not configured
-
BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|Setting this policy with PCR 7 omitted, overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation,
If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.
For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.|
+|When enabled|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
+|When disabled or not configured|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-Reference
+**Reference**
This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
->**Important:** This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
+> [!IMPORTANT]
+> This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).
@@ -2209,54 +1200,25 @@ The following list identifies all of the PCRs available:
- PCR 14: Boot Authorities
- PCR 15 – 23: Reserved for future use
->**Warning:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> [!WARNING]
+> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
### Reset platform validation data after BitLocker recovery
This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled
-
Platform validation data is refreshed when Windows is started following a BitLocker recovery.
-
-
-
When disabled
-
Platform validation data is not refreshed when Windows is started following a BitLocker recovery.
-
-
-
When not configured
-
Platform validation data is refreshed when Windows is started following a BitLocker recovery.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|None|
+|When enabled|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
+|When disabled|Platform validation data is not refreshed when Windows is started following a BitLocker recovery.|
+|When not configured|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
-Reference
+**Reference**
For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md).
@@ -2264,95 +1226,40 @@ For more information about the recovery process, see the [BitLocker recovery gui
This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.
-
-
-
Introduced
-
Windows Server 2012 and Windows 8
-
-
-
Drive type
-
Operating system drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
-
-
-
Conflicts
-
When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting).
-
-
-
When enabled
-
You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.
-
-
-
When disabled
-
The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.
-
-
-
When not configured
-
The computer verifies the default BCD settings in Windows.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.|
+|Introduced|Windows Server 2012 and Windows 8|
+|Drive type|Operating system drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|Conflicts|When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored (as defined by the **Allow Secure Boot for integrity validation** Group Policy setting).|
+|When enabled|You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.|
+|When disabled|The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.|
+|When not configured|The computer verifies the default BCD settings in Windows.|
-Reference
+**Reference**
->**Note:** The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.
+> [!NOTE]
+> The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.
### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Fixed data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled and When not configured
-
Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.
-
-
-
When disabled
-
Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Fixed data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|Conflicts|None|
+|When enabled and When not configured|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
+|When disabled|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.|
-Reference
+**Reference**
->**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system.
+> [!NOTE]
+> This policy setting does not apply to drives that are formatted with the NTFS file system.
When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
@@ -2360,46 +1267,20 @@ When this policy setting is enabled, select the **Do not install BitLocker To Go
This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive.
-
-
-
-
-
-
-
-
Policy description
-
With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
-
-
-
Introduced
-
Windows Server 2008 R2 and Windows 7
-
-
-
Drive type
-
Removable data drives
-
-
-
Policy path
-
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
-
-
-
Conflicts
-
None
-
-
-
When enabled and When not configured
-
Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.
-
-
-
When disabled
-
Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.
-
-
-
+|||
+|--- |--- |
+|Policy description|With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.|
+|Introduced|Windows Server 2008 R2 and Windows 7|
+|Drive type|Removable data drives|
+|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|Conflicts|None|
+|When enabled and When not configured|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
+|When disabled|Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.|
-Reference
+**Reference**
->**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system.
+> [!NOTE]
+> This policy setting does not apply to drives that are formatted with the NTFS file system.
When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.
@@ -2407,44 +1288,17 @@ When this policy setting is enabled, select the **Do not install BitLocker To Go
You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users cannot create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.
-
-
-
-
-
-
-
-
Policy description
-
Notes
-
-
-
Introduced
-
Windows Server 2003 with SP1
-
-
-
Drive type
-
System-wide
-
-
-
Policy path
-
Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
-
-
-
Conflicts
-
Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems.
-
-
-
When enabled
-
Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.
-
-
-
When disabled or not configured
-
No BitLocker encryption key is generated
-
-
-
+|||
+|--- |--- |
+|Policy description|Notes|
+|Introduced|Windows Server 2003 with SP1|
+|Drive type|System-wide|
+|Policy path|Local Policies\Security Options\System cryptography: **Use FIPS compliant algorithms for encryption, hashing, and signing**|
+|Conflicts|Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems.|
+|When enabled|Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.|
+|When disabled or not configured|No BitLocker encryption key is generated|
-Reference
+**Reference**
This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
@@ -2452,7 +1306,7 @@ You can save the optional recovery key to a USB drive. Because recovery password
You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures.
-For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://technet.microsoft.com/library/jj852197.aspx).
+For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).
## Power management Group Policy settings: Sleep and Hibernate
@@ -2476,11 +1330,12 @@ Changing from the default platform validation profile affects the security and m
PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This
reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration.
-PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](https://msdn.microsoft.com/library/windows/hardware/jj923068.aspx).
+PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol).
PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
## See also
+
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 121b0d3e49..4ba7629cc0 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker: How to deploy on Windows Server 2012 and later
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index a7a7e7fce7..5c7b1190b1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker: How to enable Network Unlock
@@ -94,7 +95,7 @@ The server side configuration to enable Network Unlock also requires provisionin
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
-### Install the WDS Server role
+### Install the WDS Server role
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
@@ -106,7 +107,7 @@ Install-WindowsFeature WDS-Deployment
You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
-### Confirm the WDS Service is running
+### Confirm the WDS Service is running
To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
@@ -115,7 +116,7 @@ To confirm the service is running using Windows PowerShell, use the following co
```powershell
Get-Service WDSServer
```
-### Install the Network Unlock feature
+### Install the Network Unlock feature
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
@@ -124,7 +125,7 @@ To install the feature using Windows PowerShell, use the following command:
```powershell
Install-WindowsFeature BitLocker-NetworkUnlock
```
-### Create the certificate template for Network Unlock
+### Create the certificate template for Network Unlock
A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
@@ -154,7 +155,7 @@ To add the Network Unlock template to the Certification Authority, open the Cert
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
-### Create the Network Unlock certificate
+### Create the Network Unlock certificate
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
@@ -217,7 +218,7 @@ Certreq example:
3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name:
- ``` syntax
+ ```cmd
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
```
@@ -225,7 +226,7 @@ Certreq example:
5. Launch Certificates - Local Machine by running **certlm.msc**.
6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
-### Deploy the private key and certificate to the WDS server
+### Deploy the private key and certificate to the WDS server
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
@@ -280,6 +281,7 @@ SUBNET2=10.185.252.200/28
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
```
+
Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
> [!NOTE]
@@ -287,8 +289,9 @@ Following the \[SUBNETS\] section, there can be sections for each Network Unlock
Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
+
```ini
-[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
+[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
SUBNET1
@@ -298,17 +301,20 @@ SUBNET3
To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
-## Turning off Network Unlock
+## Turning off Network Unlock
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
> [!NOTE]
> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
-## Update Network Unlock certificates
+## Update Network Unlock certificates
To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
+> [!NOTE]
+> Servers that do not receive the Group Policy Object (GPO) will require a PIN when booting. In such cases, the reason why the server did not receive the GPO to update the certificate needs to be investigated.
+
## Troubleshoot Network Unlock
Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include:
@@ -335,7 +341,7 @@ Files to gather when troubleshooting BitLocker Network Unlock include:
1. Start an elevated command prompt and run the following command:
- ``` syntax
+ ```cmd
wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
```
2. Open Event Viewer on the WDS server.
@@ -367,7 +373,7 @@ The following steps can be used to configure Network Unlock on these older syste
6. Configure registry settings for Network Unlock:
Apply the registry settings by running the following certutil script (assuming your network unlock certificate file is called **BitLocker-NetworkUnlock.cer**) on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
-
+```console
certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
@@ -376,6 +382,7 @@ The following steps can be used to configure Network Unlock on these older syste
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
+```
7. Set up a TPM protector on the clients
8. Reboot the clients to add the Network (Certificate Based) protector
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
index 226acb2e7c..d7338589c5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker Key Management FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 2314ea2eaf..78eb7b7715 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -1,6 +1,6 @@
---
title: BitLocker Management Recommendations for Enterprises (Windows 10)
-description: This topic explains recommendations for managing BitLocker.
+description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -14,6 +14,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
+ms.custom: bitlocker
---
# BitLocker Management for Enterprises
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
index 153be07099..264ee0242a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
@@ -14,6 +14,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
+ms.custom: bitlocker
---
# BitLocker Network Unlock FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
index aca61b7f1d..7f9715b9c0 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker Overview and Requirements FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index ebece73d96..131a256f82 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/26/2018
+ms.custom: bitlocker
---
# BitLocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 822f7a9985..799e432faa 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -15,11 +15,13 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker recovery guide
**Applies to**
+
- Windows 10
This topic for IT professionals describes how to recover BitLocker keys from AD DS.
@@ -42,7 +44,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
-- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
+- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
@@ -83,14 +85,14 @@ The following list provides examples of specific events that will cause BitLocke
> [!NOTE]
> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
-
+
For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
> [!NOTE]
> If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
-
+
Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
## Testing recovery
@@ -108,17 +110,16 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
- `manage-bde. -ComputerName -forcerecovery `
+ `manage-bde -ComputerName -forcerecovery `
> [!NOTE]
> Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
-
+
## Planning your recovery process
When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
-Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker
-Administration and Monitoring](https://technet.microsoft.com/windows/hh826072.aspx).
+Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
@@ -149,7 +150,7 @@ DS** check box if you want to prevent users from enabling BitLocker unless the c
> [!NOTE]
> If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
-
+
The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
@@ -190,7 +191,7 @@ Because the recovery password is 48 digits long the user may need to record the
> [!NOTE]
> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
-
+
### Post-recovery analysis
When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption
@@ -226,7 +227,7 @@ The details of this reset can vary according to the root cause of the recovery.
> [!NOTE]
> You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
-
+
- [Unknown PIN](#bkmk-unknownpin)
- [Lost startup key](#bkmk-loststartup)
- [Changes to boot files](#bkmk-changebootknown)
@@ -261,19 +262,18 @@ This error might occur if you updated the firmware. As a best practice you shoul
Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
-
## BitLocker recovery screen
During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
### Custom recovery message
-BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
+BitLocker Group Policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
-*./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage*
+*\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\*
@@ -281,30 +281,26 @@ Example of customized recovery screen:
-
-
### BitLocker recovery key hints
-BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen.
+BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen.
> [!IMPORTANT]
> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.
-
There are rules governing which hint is shown during the recovery (in order of processing):
1. Always display custom recovery message if it has been configured (using GPO or MDM).
-2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq."
+2. Always display generic hint: "For more information, go to ".
3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key.
4. Prioritize keys with successful backup over keys that have never been backed up.
-5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
-6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints.
+5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
+6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date.
-8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed.
-9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer.
-
+8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," will be displayed.
+9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer.
#### Example 1 (single recovery key with single backup)
@@ -377,7 +373,6 @@ There are rules governing which hint is shown during the recovery (in order of p
-
#### Example 5 (multiple recovery passwords)
| Custom URL | No |
@@ -407,7 +402,6 @@ There are rules governing which hint is shown during the recovery (in order of p
-
## Using additional recovery information
Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
@@ -418,7 +412,7 @@ If the recovery methods discussed earlier in this document do not unlock the vol
> [!NOTE]
> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
-
+
The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
## Resetting recovery passwords
@@ -455,6 +449,7 @@ You can reset the recovery password in two ways:
```powershell
Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
```
+
> [!WARNING]
> You must include the braces in the ID string.
@@ -470,7 +465,7 @@ You can reset the recovery password in two ways:
> [!NOTE]
> To manage a remote computer, you can specify the remote computer name rather than the local computer name.
-
+
You can use the following sample script to create a VBScript file to reset the recovery passwords.
```vb
@@ -890,5 +885,3 @@ End Function
## See also
- [BitLocker overview](bitlocker-overview.md)
-
-
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
index 36decb2b2f..f06b11a197 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@@ -14,6 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/28/2019
+ms.custom: bitlocker
---
# Breaking out of a Bitlocker recovery loop
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index 2962d7533b..fb1c2281f8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker Security FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
index e8bd11f12b..c34ddf46f1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/10/2018
+ms.custom: bitlocker
---
# BitLocker To Go FAQ
@@ -24,7 +25,7 @@ ms.date: 07/10/2018
## What is BitLocker To Go?
-BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
+BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
index 7873e99c18..a856063b96 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
@@ -14,6 +14,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
+ms.custom: bitlocker
---
# BitLocker Upgrading FAQ
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index e4e1a3ffcd..bf20c5efdd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
@@ -126,11 +127,11 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-
Name
-
Parameters
+
Name
+
Parameters
-
Add-BitLockerKeyProtector
+
Add-BitLockerKeyProtector
-ADAccountOrGroup
-ADAccountOrGroupProtector
-Confirm
@@ -152,26 +153,26 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-WhatIf
-
Backup-BitLockerKeyProtector
+
Backup-BitLockerKeyProtector
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf
-
Disable-BitLocker
+
Disable-BitLocker
-Confirm
-MountPoint
-WhatIf
-
Disable-BitLockerAutoUnlock
+
Disable-BitLockerAutoUnlock
-Confirm
-MountPoint
-WhatIf
-
Enable-BitLocker
+
Enable-BitLocker
-AdAccountOrGroup
-AdAccountOrGroupProtector
-Confirm
@@ -196,44 +197,44 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-WhatIf
-
Enable-BitLockerAutoUnlock
+
Enable-BitLockerAutoUnlock
-Confirm
-MountPoint
-WhatIf
-
Get-BitLockerVolume
+
Get-BitLockerVolume
-MountPoint
-
Lock-BitLocker
+
Lock-BitLocker
-Confirm
-ForceDismount
-MountPoint
-WhatIf
-
Remove-BitLockerKeyProtector
+
Remove-BitLockerKeyProtector
-Confirm
-KeyProtectorId
-MountPoint
-WhatIf
-
Resume-BitLocker
+
Resume-BitLocker
-Confirm
-MountPoint
-WhatIf
-
Suspend-BitLocker
+
Suspend-BitLocker
-Confirm
-MountPoint
-RebootCount
-WhatIf
-
Unlock-BitLocker
+
Unlock-BitLocker
-AdAccountOrGroup
-Confirm
-MountPoint
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index 9f41146f0d..1bc4358ba0 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# BitLocker: Use BitLocker Recovery Password Viewer
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
index 0aebf543c2..ac4286c885 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# Using BitLocker with other programs FAQ
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 72436ef74d..baa25d7cf6 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/24/2019
+ms.custom: bitlocker
---
# Prepare your organization for BitLocker: Planning and policies
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index 1473dadc79..ac7c00f8b6 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
+ms.custom: bitlocker
---
# Protecting cluster shared volumes and storage area networks with BitLocker
@@ -168,91 +169,91 @@ The following table contains information about both Physical Disk Resources (i.e
-
Action
-
On owner node of failover volume
-
On Metadata Server (MDS) of CSV
-
On (Data Server) DS of CSV
-
Maintenance Mode
+
Action
+
On owner node of failover volume
+
On Metadata Server (MDS) of CSV
+
On (Data Server) DS of CSV
+
Maintenance Mode
-
Manage-bde –on
+
Manage-bde –on
Blocked
Blocked
Blocked
Allowed
-
Manage-bde –off
+
Manage-bde –off
Blocked
Blocked
Blocked
Allowed
-
Manage-bde Pause/Resume
+
Manage-bde Pause/Resume
Blocked
-
Blocked
+
Blocked
Blocked
Allowed
-
Manage-bde –lock
+
Manage-bde –lock
Blocked
Blocked
Blocked
Allowed
-
manage-bde –wipe
+
manage-bde –wipe
Blocked
Blocked
Blocked
Allowed
-
Unlock
+
Unlock
Automatic via cluster service
Automatic via cluster service
Automatic via cluster service
Allowed
-
manage-bde –protector –add
+
manage-bde –protector –add
Allowed
Allowed
Blocked
Allowed
-
manage-bde -protector -delete
+
manage-bde -protector -delete
Allowed
Allowed
Blocked
Allowed
-
manage-bde –autounlock
+
manage-bde –autounlock
Allowed (not recommended)
Allowed (not recommended)
Blocked
Allowed (not recommended)
-
Manage-bde -upgrade
+
Manage-bde -upgrade
Allowed
Allowed
Blocked
Allowed
-
Shrink
+
Shrink
Allowed
Allowed
Blocked
Allowed
-
Extend
+
Extend
Allowed
Allowed
Blocked
@@ -261,7 +262,7 @@ The following table contains information about both Physical Disk Resources (i.e
->Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
+>Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
index 88e28e59eb..e6e97c6293 100644
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
+ms.custom: bitlocker
---
# Guidelines for troubleshooting BitLocker
@@ -24,14 +25,14 @@ This article addresses common issues in BitLocker and provides guidelines to tro
Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows:
- **BitLocker-API**. Review the Management log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
- - Microsoft-Windows-BitLocker/BitLocker Operational
- - Microsoft-Windows-BitLocker/BitLocker Management
+ - Microsoft-Windows-BitLocker-API/BitLocker Operational
+ - Microsoft-Windows-BitLocker-API/BitLocker Management
-- **BitLocker-DrivePreparationTool**. Review the Admin log, the **Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
+- **BitLocker-DrivePreparationTool**. Review the Admin log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
- Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
- Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
-Additionally, review the Windows logs\\System log for events that were produced by the TCM and TCM-WMI event sources.
+Additionally, review the Windows logs\\System log for events that were produced by the TPM and TPM-WMI event sources.
To filter and display or export logs, you can use the [wevtutil.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](https://docs.microsoft.com/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6) cmdlet.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
index 2382b91a2a..03b1c67188 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
+ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known issues
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
index c69bb9ab25..c112d898f7 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
@@ -13,8 +13,10 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
+ms.custom: bitlocker
---
+
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
index 346095b34e..e3c4f3f6d4 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
+ms.custom: bitlocker
---
# BitLocker configuration: known issues
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index c3e4f16427..3e2cdad741 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/17/2019
+ms.custom: bitlocker
---
# Decode Measured Boot logs to track PCR changes
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 18236c1ddf..895c4eec13 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
+ms.custom: bitlocker
---
# Enforcing BitLocker policies by using Intune: known issues
@@ -205,7 +206,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
1. Verify that the **Secure Boot State** setting is **On**, as follows:
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
- 
+ 
> [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
index 77216f2dd1..b5882849d0 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
@@ -13,7 +13,9 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/7/2019
+ms.custom: bitlocker
---
+
# BitLocker Network Unlock: known issues
By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements:
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
index a25ea79f8a..b9d677c092 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
+ms.custom: bitlocker
---
# BitLocker recovery: known issues
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
index 553780277a..9e19de9f72 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
@@ -13,6 +13,7 @@ audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/18/2019
+ms.custom: bitlocker
---
# BitLocker and TPM: other known issues
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 6ea046a8f3..2d8554f52b 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -84,11 +84,15 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
2. Check the value of **Kernel DMA Protection**.
-3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
+3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
- Reboot into BIOS settings
- Turn on Intel Virtualization Technology.
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- Reboot system into Windows 10.
+
+>[!NOTE]
+> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES.
+
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 384c907c62..017eb64762 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -96,7 +96,7 @@ Because Secure Boot has protected the bootloader and Trusted Boot has protected
Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.
-An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows 10) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx) and several non-Microsoft anti-malware apps.
+An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows 10) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](https://docs.microsoft.com/lifecycle/products/microsoft-system-center-2012-endpoint-protection) and several non-Microsoft anti-malware apps.
## Measured Boot
If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn’t work with rootkits that hide their presence. In other words, you can’t trust the client to tell you whether it’s healthy.
@@ -129,4 +129,4 @@ Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to
Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system.
## Additional resources
-- [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc)
+- [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise)
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 60283edd89..97733a4dd7 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -4,7 +4,6 @@ description: Learn how unenlightened and enlightened apps might behave, based on
keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
ms.prod: w10
ms.mktglfcycl: explore
-ms.pagetype: security
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
@@ -54,7 +53,7 @@ This table includes info about how unenlightened apps might behave, based on you
Name-based policies, using the /*AppCompat*/ string or proxy-based policies
-
Not required. App connects to enterprise cloud resources directly, using an IP address.
+
Not required. App connects to enterprise cloud resources directly, using an IP address.
App is entirely blocked from both personal and enterprise cloud resources.
@@ -71,7 +70,7 @@ This table includes info about how unenlightened apps might behave, based on you
-
Not required. App connects to enterprise cloud resources, using a hostname.
+
Not required. App connects to enterprise cloud resources, using a hostname.
App is blocked from accessing enterprise cloud resources, but can access other network resources.
@@ -81,7 +80,7 @@ This table includes info about how unenlightened apps might behave, based on you
-
Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
+
Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
App can access both personal and enterprise cloud resources.
@@ -91,7 +90,7 @@ This table includes info about how unenlightened apps might behave, based on you
-
Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
+
Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
App can access both personal and enterprise cloud resources.
@@ -111,7 +110,7 @@ This table includes info about how enlightened apps might behave, based on your
Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies
-
Not required. App connects to enterprise cloud resources, using an IP address or a hostname.
+
Not required. App connects to enterprise cloud resources, using an IP address or a hostname.
App is blocked from accessing enterprise cloud resources, but can access other network resources.
@@ -121,7 +120,7 @@ This table includes info about how enlightened apps might behave, based on your
-
Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
+
Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
App can access both personal and enterprise cloud resources.
@@ -131,7 +130,7 @@ This table includes info about how enlightened apps might behave, based on your
-
Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
+
Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
App can access both personal and enterprise cloud resources.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index a5baa19809..49a57283b7 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -190,27 +190,27 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
All files signed by any publisher. (Not recommended.)
-
Publisher selected
+
Publisher selected
All files signed by the named publisher.
This might be useful if your company is the publisher and signer of internal line-of-business apps.
-
Publisher and Product Name selected
+
Publisher and Product Name selected
All files for the specified product, signed by the named publisher.
-
Publisher, Product Name, and Binary name selected
+
Publisher, Product Name, and Binary name selected
Any version of the named file or package for the specified product, signed by the named publisher.
-
Publisher, Product Name, Binary name, and File Version, and above, selected
+
Publisher, Product Name, Binary name, and File Version, and above, selected
Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.
This option is recommended for enlightened apps that weren't previously enlightened.
-
Publisher, Product Name, Binary name, and File Version, And below selected
+
Publisher, Product Name, Binary name, and File Version, And below selected
Specified version or older releases of the named file or package for the specified product, signed by the named publisher.
-
Publisher, Product Name, Binary name, and File Version, Exactly selected
+
Publisher, Product Name, Binary name, and File Version, Exactly selected
Specified version of the named file or package for the specified product, signed by the named publisher.
@@ -403,8 +403,8 @@ There are no default locations included with WIP, you must add each of your netw
Enterprise Cloud Resources
-
With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com
Without proxy: contoso.sharepoint.com|contoso.visualstudio.com
-
Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
+
With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com
Without proxy: contoso.sharepoint.com|contoso.visualstudio.com
+
Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
Important In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
Enterprise Network Domain Names (Required)
@@ -422,12 +422,12 @@ There are no default locations included with WIP, you must add each of your netw
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index b3f555bb13..73946540c5 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -129,7 +129,8 @@ If you don't know the Store app publisher or product name, you can find them by
If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
->**Note** Your PC and phone must be on the same wireless network.
+> [!NOTE]
+> Your PC and phone must be on the same wireless network.
1. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@@ -194,19 +195,19 @@ To add another Desktop app, click the ellipsis **…**. After you’ve entered t
If you’re unsure about what to include for the publisher, you can run this PowerShell command:
-```ps1
+```powershell
Get-AppLockerFileInformation -Path ""
```
Where `""` goes to the location of the app on the device. For example:
-```ps1
+```powershell
Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"
```
In this example, you'd get the following info:
-```
+```console
Path Publisher
---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
@@ -214,6 +215,8 @@ Path Publisher
Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
+Regarding to how to get the Product Name for the Apps you wish to Add, please reach out to our Windows Support Team to request the guidelines
+
### Import a list of apps
This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time.
@@ -277,22 +280,22 @@ For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com
This is the XML file that AppLocker creates for Microsoft Dynamics 365.
```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
@@ -333,6 +336,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
+
**To import a list of protected apps using Microsoft Intune**
1. In **Protected apps**, click **Import apps**.
@@ -426,7 +430,7 @@ Separate multiple resources with the "|" delimiter.
If you don’t use proxy servers, you must also include the "," delimiter just before the "|".
For example:
-```code
+```console
URL <,proxy>|URL <,proxy>
```
@@ -439,7 +443,7 @@ In this case, Windows blocks the connection by default.
To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting.
For example:
-```code
+```console
URL <,proxy>|URL <,proxy>/*AppCompat*/
```
@@ -447,24 +451,24 @@ When you use this string, we recommend that you also turn on [Azure Active Direc
Value format with proxy:
-```code
+```console
contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
```
Value format without proxy:
-```code
-contoso.sharepoint.com|contoso.visualstudio.com
+```console
+contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
```
### Protected domains
Specify the domains used for identities in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected.
-Separate multiple domains with the "," delimiter.
+Separate multiple domains with the "|" delimiter.
-```code
-exchange.contoso.com,contoso.com,region.contoso.com
+```console
+exchange.contoso.com|contoso.com|region.contoso.com
```
### Network domains
@@ -473,7 +477,7 @@ Specify the DNS suffixes used in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected.
Separate multiple resources with the "," delimiter.
-```code
+```console
corp.contoso.com,region.contoso.com
```
@@ -486,7 +490,7 @@ This list shouldn’t include any servers listed in your Internal proxy servers
Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
Separate multiple resources with the ";" delimiter.
-```code
+```console
proxy.contoso.com:80;proxy2.contoso.com:443
```
@@ -498,7 +502,7 @@ This list shouldn’t include any servers listed in your Proxy servers list.
Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
Separate multiple resources with the ";" delimiter.
-```code
+```console
contoso.internalproxy1.com;contoso.internalproxy2.com
```
@@ -537,7 +541,7 @@ Specify your authentication redirection endpoints for your company.
These locations are considered enterprise or personal, based on the context of the connection before the redirection.
Separate multiple resources with the "," delimiter.
-```code
+```console
sts.contoso.com,sts.contoso2.com
```
@@ -595,8 +599,8 @@ After you've decided where your protected apps can access enterprise data on you
- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
->[!NOTE]
->Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
+ > [!NOTE]
+ > Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
**Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 8c01645295..a099742145 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -108,7 +108,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| Microsoft Messaging | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.Messaging **App Type:** Universal app |
| IE11 | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** iexplore.exe **App Type:** Desktop app |
| OneDrive Sync Client | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** onedrive.exe **App Type:** Desktop app |
-| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.Microsoftskydrive Product Version:Product version: 17.21.0.0 (and later) **App Type:** Universal app |
+| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.Microsoftskydrive Product Version:Product version: 17.21.0.0 (and later) **App Type:** Universal app |
| Notepad | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** notepad.exe **App Type:** Desktop app |
| Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** mspaint.exe **App Type:** Desktop app |
| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Binary Name:** mstsc.exe **App Type:** Desktop app |
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 340c9edb2a..c1cd7193c0 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -33,18 +33,18 @@ This table provides info about the most common problems you might encounter whil
Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
-
If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
+
If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
Direct Access is incompatible with WIP.
Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
-
We recommend that you use VPN for client access to your intranet resources.
Note VPN is optional and isn’t required by WIP.
+
We recommend that you use VPN for client access to your intranet resources.
Note VPN is optional and isn’t required by WIP.
-
NetworkIsolation Group Policy setting takes precedence over MDM Policy settings.
-
The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
-
If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.
+
NetworkIsolation Group Policy setting takes precedence over MDM Policy settings.
+
The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
+
If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.
Cortana can potentially allow data leakage if it’s on the allowed apps list.
@@ -63,7 +63,7 @@ This table provides info about the most common problems you might encounter whil
Start the installer directly from the file share.
-OR-
Decrypt the locally copied files needed by the installer.
-OR-
-
Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
+
Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
@@ -74,17 +74,17 @@ This table provides info about the most common problems you might encounter whil
Redirected folders with Client Side Caching are not compatible with WIP.
Apps might encounter access errors while attempting to read a cached, offline file.
-
Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
-
Data copied from the WIP-managed device is marked as Work.
Data copied to the WIP-managed device is not marked as Work.
Local Work data copied to the WIP-managed device remains Work data.
Work data that is copied between two apps in the same session remains data.
+
Data copied from the WIP-managed device is marked as Work.
Data copied to the WIP-managed device is not marked as Work.
Local Work data copied to the WIP-managed device remains Work data.
Work data that is copied between two apps in the same session remains data.
Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.
You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
-
A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal.
-
Open File Explorer and change the file ownership to Personal before you upload.
+
A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal.
+
Open File Explorer and change the file ownership to Personal before you upload.
ActiveX controls should be used with caution.
@@ -97,7 +97,7 @@ This table provides info about the most common problems you might encounter whil
Format drive for NTFS, or use a different drive.
-
WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
+
WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
AppDataRoaming
Desktop
@@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil
WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.
-
Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection.
+
Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection.
@@ -143,7 +143,7 @@ This table provides info about the most common problems you might encounter whil
Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.
-
Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected.
+
Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected.
If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 961744bbf6..7353daae25 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -39,30 +39,30 @@ You can try any of the processes included in these scenarios, but you should foc
Encrypt and decrypt files using File Explorer.
-
For desktop:
+
For desktop:
-
Open File Explorer, right-click a work document, and then click Work from the File Ownership menu. Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access:<your_enterprise_identity>. For example, contoso.com.
-
In File Explorer, right-click the same document, and then click Personal from the File Ownership menu. Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
+
Open File Explorer, right-click a work document, and then click Work from the File Ownership menu. Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access:<your_enterprise_identity>. For example, contoso.com.
+
In File Explorer, right-click the same document, and then click Personal from the File Ownership menu. Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
- For mobile:
+ For mobile:
-
Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
-
Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work. Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
-
Select the same file, click File ownership from the drop down menu, and then click Personal. Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
+
Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
+
Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work. Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
+
Select the same file, click File ownership from the drop down menu, and then click Personal. Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
Create work documents in enterprise-allowed apps.
-
For desktop:
+
For desktop:
-
Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes. Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
Important Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.
Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes. Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
Important Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.
Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location. Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
+
Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location. Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
Open the same document and attempt to save it to a non-work-related location. WIP should stop you from saving the file to this location.
-
Open the same document one last time, make a change to the contents, and then save it again using the Personal option. Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
+
Open the same document one last time, make a change to the contents, and then save it again using the Personal option. Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
@@ -70,7 +70,7 @@ You can try any of the processes included in these scenarios, but you should foc
Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file. The app shouldn't be able to access the file.
-
Try double-clicking or tapping on the work-encrypted file. If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
+
Try double-clicking or tapping on the work-encrypted file. If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
@@ -78,9 +78,9 @@ You can try any of the processes included in these scenarios, but you should foc
Copy and paste from enterprise apps to non-enterprise apps.
-
Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list. You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
-
Click Keep at work. The content isn't pasted into the non-enterprise app.
-
Repeat Step 1, but this time click Change to personal, and try to paste the content again. The content is pasted into the non-enterprise app.
+
Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list. You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
+
Click Keep at work. The content isn't pasted into the non-enterprise app.
+
Repeat Step 1, but this time click Change to personal, and try to paste the content again. The content is pasted into the non-enterprise app.
Try copying and pasting content between apps on your allowed apps list. The content should copy and paste between apps without any warning messages.
@@ -89,9 +89,9 @@ You can try any of the processes included in these scenarios, but you should foc
Drag and drop from enterprise apps to non-enterprise apps.
-
Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list. You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
-
Click Keep at work. The content isn't dropped into the non-enterprise app.
-
Repeat Step 1, but this time click Change to personal, and try to drop the content again. The content is dropped into the non-enterprise app.
+
Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list. You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
+
Click Keep at work. The content isn't dropped into the non-enterprise app.
+
Repeat Step 1, but this time click Change to personal, and try to drop the content again. The content is dropped into the non-enterprise app.
Try dragging and dropping content between apps on your allowed apps list. The content should move between the apps without any warning messages.
@@ -100,9 +100,9 @@ You can try any of the processes included in these scenarios, but you should foc
Share between enterprise apps and non-enterprise apps.
-
Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook. You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
-
Click Keep at work. The content isn't shared into Facebook.
-
Repeat Step 1, but this time click Change to personal, and try to share the content again. The content is shared into Facebook.
+
Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook. You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
+
Click Keep at work. The content isn't shared into Facebook.
+
Repeat Step 1, but this time click Change to personal, and try to share the content again. The content is shared into Facebook.
Try sharing content between apps on your allowed apps list. The content should share between the apps without any warning messages.
@@ -112,8 +112,8 @@ You can try any of the processes included in these scenarios, but you should foc
Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps. Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
-
Open File Explorer and make sure your modified files are appearing with a Lock icon.
-
Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
+
Open File Explorer and make sure your modified files are appearing with a Lock icon.
+
Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
@@ -130,7 +130,7 @@ You can try any of the processes included in these scenarios, but you should foc
Verify your shared files can use WIP.
-
Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
+
Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.
Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share. The app shouldn't be able to access the file share.
@@ -142,7 +142,7 @@ You can try any of the processes included in these scenarios, but you should foc
Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge. Both browsers should respect the enterprise and personal boundary.
-
Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource. IE11 shouldn't be able to access the sites.
Note Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
+
Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource. IE11 shouldn't be able to access the sites.
Note Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
@@ -150,7 +150,7 @@ You can try any of the processes included in these scenarios, but you should foc
Verify your Virtual Private Network (VPN) can be auto-triggered.
Start an app from your allowed apps list. The VPN network should automatically start.
Disconnect from your network and then start an app that isn't on your allowed apps list. The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
@@ -160,7 +160,7 @@ You can try any of the processes included in these scenarios, but you should foc
Unenroll client devices from WIP.
-
Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove. The device should be removed and all of the enterprise content for that managed account should be gone.
Important On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
+
Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove. The device should be removed and all of the enterprise content for that managed account should be gone.
Important On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index bb71e600b5..933705e0e8 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -9,6 +9,7 @@
### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
+### [Microsoft Defender ATP for non-Windows platforms](microsoft-defender-atp/non-windows.md)
## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
@@ -18,15 +19,24 @@
### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
-### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
+### [Phase 3: Onboard]()
+#### [Onboarding overview](microsoft-defender-atp/onboarding.md)
+##### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
+##### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
-## [Migration guides]()
-### [Migrate from Symantec to Microsoft Defender ATP]()
+
+## [Migration guides](microsoft-defender-atp/migration-guides.md)
+### [Switch from McAfee to Microsoft Defender ATP]()
+#### [Get an overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
+#### [Prepare for your migration](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md)
+#### [Set up Microsoft Defender ATP](microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md)
+#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md)
+### [Switch from Symantec to Microsoft Defender ATP]()
#### [Get an overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
#### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
#### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
-### [Manage Microsoft Defender ATP post migration]()
+### [Manage Microsoft Defender ATP after migration]()
#### [Overview](microsoft-defender-atp/manage-atp-post-migration.md)
#### [Intune (recommended)](microsoft-defender-atp/manage-atp-post-migration-intune.md)
#### [Configuration Manager](microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md)
@@ -49,7 +59,7 @@
### [Attack surface reduction]()
#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
-#### [Attack surface reduction evaluation](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
+#### [Evaluate attack surface reduction rules](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
@@ -57,6 +67,7 @@
##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
+##### [View attack surface reduction events](microsoft-defender-atp/event-views.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
@@ -65,7 +76,8 @@
##### [Application isolation]()
###### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md)
###### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md)
-###### [Install Windows Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
+###### [Install Microsoft Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
+###### [Install Microsoft Defender Application Guard Extension](microsoft-defender-application-guard/md-app-guard-browser-extension.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
@@ -75,19 +87,22 @@
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Device control]()
-##### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+##### [Code integrity](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
#### [Exploit protection]()
##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
-
+##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
+##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
+##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
+##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md )
#### [Network protection]()
##### [Protect your network](microsoft-defender-atp/network-protection.md)
-##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md)
-##### [Enable network protection](microsoft-defender-atp/enable-network-protection.md)
+##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md)
+##### [Turn on network protection](microsoft-defender-atp/enable-network-protection.md)
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
@@ -99,7 +114,9 @@
#### [Controlled folder access]()
##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
-##### [Controlled folder access evaluation](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Evaluate controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Enable controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
+##### [Customize controlled folder access](microsoft-defender-atp/customize-controlled-folders.md)
@@ -207,7 +224,13 @@
#### [Deploy]()
##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
-##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
+##### [JAMF Pro-based deployment]()
+###### [Deploying Microsoft Defender ATP for macOS using Jamf Pro](microsoft-defender-atp/mac-install-with-jamf.md)
+###### [Login to Jamf Pro](microsoft-defender-atp/mac-install-jamfpro-login.md)
+###### [Set up device groups](microsoft-defender-atp/mac-jamfpro-device-groups.md)
+###### [Set up policies](microsoft-defender-atp/mac-jamfpro-policies.md)
+###### [Enroll devices](microsoft-defender-atp/mac-jamfpro-enroll-devices.md)
+
##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
#### [Update](microsoft-defender-atp/mac-updates.md)
@@ -228,6 +251,10 @@
#### [Resources](microsoft-defender-atp/mac-resources.md)
+### [Microsoft Defender Advanced Threat Protection for iOS]()
+#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
+
+
### [Microsoft Defender Advanced Threat Protection for Linux]()
#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
#### [What's New](microsoft-defender-atp/linux-whatsnew.md)
@@ -264,6 +291,11 @@
#### [Configure]()
##### [Configure Microsoft Defender ATP for Android features](microsoft-defender-atp/android-configure.md)
+#### [Privacy]()
+##### [Microsoft Defender ATP for Android - Privacy information](microsoft-defender-atp/android-privacy.md)
+
+#### [Troubleshoot]()
+##### [Troubleshoot issues](microsoft-defender-atp/android-support-signin.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
@@ -332,14 +364,14 @@
#### [Reporting]()
##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
-##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
#### [Device health and compliance reports](microsoft-defender-atp/machine-reports.md)
#### [Custom detections]()
-##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
+##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
### [Behavioral blocking and containment]()
#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
@@ -424,8 +456,6 @@
#### [General]()
##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
-##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
-##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
#### [Permissions]()
@@ -456,7 +486,7 @@
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-
+### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md)
## Reference
### [Management and APIs]()
@@ -551,7 +581,7 @@
####### [Score methods and properties](microsoft-defender-atp/score.md)
####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
-####### [Get machine secure score](microsoft-defender-atp/get-device-secure-score.md)
+####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
###### [Software]()
####### [Software methods and properties](microsoft-defender-atp/software.md)
@@ -613,6 +643,7 @@
#### [Managed security service provider (MSSP) integration]()
##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
+##### [Supported managed security service providers](microsoft-defender-atp/mssp-list.md)
##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index e36022563e..1ce7884399 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -64,7 +64,6 @@ Detailed Tracking security policy settings and audit events can be used to monit
- [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
-- [Audit Credential Validation](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-credential-validation)
- [Audit Token Right Adjusted](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-token-right-adjusted)
## DS Access
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index b062a6e72b..505da9bbb0 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -1,6 +1,6 @@
---
title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
-description: Appendix A, Security monitoring recommendations for many audit events
+description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index f6d870f605..9adb4cfd74 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -1,6 +1,6 @@
---
title: Audit Other Privilege Use Events (Windows 10)
-description: This security policy setting is not used.
+description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 1e73acf50d..3856637432 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -1,6 +1,6 @@
---
title: Basic security audit policies (Windows 10)
-description: Before you implement auditing, you must decide on an auditing policy.
+description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index 22a7d07d71..5f0730407d 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -1,6 +1,6 @@
---
title: 4608(S) Windows is starting up. (Windows 10)
-description: Describes security event 4608(S) Windows is starting up.
+description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-
+
***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
@@ -30,12 +30,13 @@ This event is logged when LSASS.EXE process starts and the auditing subsystem is
It typically generates during operating system startup process.
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
-```
+```xml
-
-
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index 9231f28b82..0490e0ae3e 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -1,6 +1,6 @@
---
title: 4615(S) Invalid use of LPC port. (Windows 10)
-description: Describes security event 4615(S) Invalid use of LPC port.
+description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 8681a67e8f..3f700f0719 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -1,6 +1,6 @@
---
title: 4616(S) The system time was changed. (Windows 10)
-description: Describes security event 4616(S) The system time was changed.
+description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-
+
***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
@@ -32,12 +32,13 @@ This event is always logged regardless of the "Audit Security State Change" sub-
You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
-```
+```xml
-
-
@@ -87,7 +88,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+ > [!NOTE]
+ > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation.
@@ -161,7 +163,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L
For 4616(S): The system time was changed.
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+> [!IMPORTANT]
+> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service.
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index cf8e0d63b8..b310cd06ca 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -146,6 +146,7 @@ This event generates when a logon session is created (on destination machine). I
| Logon Type | Logon Title | Description |
|:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `0` | `System` | Used only by the System account, for example at system startup. |
| `2` | `Interactive` | A user logged on to this computer. |
| `3` | `Network` | A user or computer logged on to this computer from the network. |
| `4` | `Batch` | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
@@ -155,6 +156,8 @@ This event generates when a logon session is created (on destination machine). I
| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. |
+| `13` | `CachedUnlock` | Workstation logon. |
- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 08fcff8219..84cf52d450 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -1,6 +1,6 @@
---
title: 4625(F) An account failed to log on. (Windows 10)
-description: Describes security event 4625(F) An account failed to log on.
+description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-
+
***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
@@ -32,12 +32,13 @@ It generates on the computer where logon attempt was made, for example, if logon
This event generates on domain controllers, member servers, and workstations.
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
-```
+```xml
-
-
@@ -93,7 +94,8 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+ > [!NOTE]
+ > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
@@ -109,27 +111,30 @@ This event generates on domain controllers, member servers, and workstations.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
-| Logon Type | Logon Title | Description |
-|-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 2 | Interactive | A user logged on to this computer. |
-| 3 | Network | A user or computer logged on to this computer from the network. |
-| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
-| 5 | Service | A service was started by the Service Control Manager. |
-| 7 | Unlock | This workstation was unlocked. |
-| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
-| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
-| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
-| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
-> Table: Windows Logon Types
+ **Table 11: Windows Logon Types**
+
+ | Logon Type | Logon Title | Description |
+ |-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ | 2 | Interactive | A user logged on to this computer. |
+ | 3 | Network | A user or computer logged on to this computer from the network. |
+ | 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
+ | 5 | Service | A service was started by the Service Control Manager. |
+ | 7 | Unlock | This workstation was unlocked. |
+ | 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
+ | 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
+ | 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
+ | 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+
**Account For Which Logon Failed:**
- **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+ > [!NOTE]
+ > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
@@ -151,35 +156,36 @@ This event generates on domain controllers, member servers, and workstations.
- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value.
-- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in “Table 12. Windows logon status codes.”
+- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
-| Status\\Sub-Status Code | Description |
-|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0XC000005E | There are currently no logon servers available to service the logon request. |
-| 0xC0000064 | User logon with misspelled or bad user account |
-| 0xC000006A | User logon with misspelled or bad password |
-| 0XC000006D | This is either due to a bad username or authentication information |
-| 0XC000006E | Unknown user name or bad password. |
-| 0xC000006F | User logon outside authorized hours |
-| 0xC0000070 | User logon from unauthorized workstation |
-| 0xC0000071 | User logon with expired password |
-| 0xC0000072 | User logon to account disabled by administrator |
-| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
-| 0XC0000133 | Clocks between DC and other computer too far out of sync |
-| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
-| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
-| 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
-| 0xC0000193 | User logon with expired account |
-| 0XC0000224 | User is required to change password at next logon |
-| 0XC0000225 | Evidently a bug in Windows and not a risk |
-| 0xC0000234 | User logon with account locked |
-| 0XC00002EE | Failure Reason: An Error occurred during Logon |
-| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
-| 0x0 | Status OK. |
+ **Table 12: Windows logon status codes.**
-> Table: Windows logon status codes.
->
-> **Note** To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
+ | Status\\Sub-Status Code | Description |
+ |-------------------------|------------------------------------------------------------------------------------------------------|
+ | 0XC000005E | There are currently no logon servers available to service the logon request. |
+ | 0xC0000064 | User logon with misspelled or bad user account |
+ | 0xC000006A | User logon with misspelled or bad password |
+ | 0XC000006D | This is either due to a bad username or authentication information |
+ | 0XC000006E | Unknown user name or bad password. |
+ | 0xC000006F | User logon outside authorized hours |
+ | 0xC0000070 | User logon from unauthorized workstation |
+ | 0xC0000071 | User logon with expired password |
+ | 0xC0000072 | User logon to account disabled by administrator |
+ | 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
+ | 0XC0000133 | Clocks between DC and other computer too far out of sync |
+ | 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
+ | 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
+ | 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
+ | 0xC0000193 | User logon with expired account |
+ | 0XC0000224 | User is required to change password at next logon |
+ | 0XC0000225 | Evidently a bug in Windows and not a risk |
+ | 0xC0000234 | User logon with account locked |
+ | 0XC00002EE | Failure Reason: An Error occurred during Logon |
+ | 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
+ | 0x0 | Status OK. |
+
+> [!NOTE]
+> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
More information:
@@ -187,7 +193,7 @@ More information:
**Process Information:**
-- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -241,7 +247,8 @@ More information:
For 4625(F): An account failed to log on.
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+> [!IMPORTANT]
+> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
@@ -277,17 +284,17 @@ For 4625(F): An account failed to log on.
- Monitor for all events with the fields and values in the following table:
-| **Field** | Value to monitor for |
-|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.” This is typically not a security issue but it can be an infrastructure or availability issue. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”. Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. This is typically not a security issue but it can be an infrastructure or availability issue. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
-| **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
+ | **Field** | Value to monitor for |
+ |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.” This is typically not a security issue but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”. Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. This is typically not a security issue but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
+ | **Failure Information\\Status** or **Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index d0474f5941..2adc4b2f1b 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -1,6 +1,6 @@
---
title: 4626(S) User/Device claims information. (Windows 10)
-description: Describes security event 4626(S) User/Device claims information.
+description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -157,7 +157,7 @@ This event generates on the computer to which the logon was performed (target co
- “dadmin” – claim value.
-**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed.
+**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed.
## Security Monitoring Recommendations
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 37bc83b16f..fb47564ea9 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -1,6 +1,6 @@
---
title: 4627(S) Group membership information. (Windows 10)
-description: Describes security event 4627(S) Group membership information.
+description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index c7fd725041..d76dc2df61 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -1,6 +1,6 @@
---
title: 4634(S) An account was logged off. (Windows 10)
-description: Describes security event 4634(S) An account was logged off.
+description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 3cb68ae77c..26bbcd86f8 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -1,6 +1,6 @@
---
title: 4647(S) User initiated logoff. (Windows 10)
-description: Describes security event 4647(S) User initiated logoff.
+description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 0c3b10dff5..dce0305250 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -1,6 +1,6 @@
---
title: 4649(S) A replay attack was detected. (Windows 10)
-description: Describes security event 4649(S) A replay attack was detected.
+description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index f27a05c4d3..cb009c97df 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -1,6 +1,6 @@
---
title: 4657(S) A registry value was modified. (Windows 10)
-description: Describes security event 4657(S) A registry value was modified.
+description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 1569c43d0f..c461aa3d20 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -1,6 +1,6 @@
---
title: 4658(S) The handle to an object was closed. (Windows 10)
-description: Describes security event 4658(S) The handle to an object was closed.
+description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 7c03634e8e..0823b6ae3e 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -1,6 +1,6 @@
---
title: 4660(S) An object was deleted. (Windows 10)
-description: Describes security event 4660(S) An object was deleted.
+description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index 45dcd000c9..bc6d20907b 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -274,5 +274,5 @@ For file system and registry objects, the following recommendations apply.
- If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
-- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.
+- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 1641acbc10..81b9fd94a0 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -22,7 +22,7 @@ ms.author: dansimp
-Subcategory:Audit Special Logon
+Subcategory:Audit Special Logon
***Event Description:***
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index 1caa24d32d..c647485d66 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -1,6 +1,6 @@
---
title: 4673(S, F) A privileged service was called. (Windows 10)
-description: Describes security event 4673(S, F) A privileged service was called.
+description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -135,40 +135,40 @@ Failure event generates when service call attempt fails.
| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** |
|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege: Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege: Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
-| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege: Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
-| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege: Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
-| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege: Create symbolic links | Required to create a symbolic link. |
-| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege: Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
-| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege: Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
-| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege: Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
-| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege: Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege: Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
-| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege: Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
-| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege: Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
-| Audit Non Sensitive Privilege Use | SeRelabelPrivilege: Modify an object label | Required to modify the mandatory integrity level of an object. |
-| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege: Force shutdown from a remote system | Required to shut down a system using a network request. |
-| Audit Non Sensitive Privilege Use | SeShutdownPrivilege: Shut down the system | Required to shut down a local system. |
-| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege: Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
-| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege: Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
-| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege: Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
-| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege: Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
-| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege: Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
-| Audit Non Sensitive Privilege Use | SeUndockPrivilege: Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege: Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege: Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege: Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege: Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege: Create symbolic links | Required to create a symbolic link. |
+| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege: Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege: Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege: Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege: Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege: Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege: Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege: Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| Audit Non Sensitive Privilege Use | SeRelabelPrivilege: Modify an object label | Required to modify the mandatory integrity level of an object. |
+| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege: Force shutdown from a remote system | Required to shut down a system using a network request. |
+| Audit Non Sensitive Privilege Use | SeShutdownPrivilege: Shut down the system | Required to shut down a local system. |
+| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege: Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege: Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege: Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege: Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege: Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| Audit Non Sensitive Privilege Use | SeUndockPrivilege: Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** |
|-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege: Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
-| Audit Sensitive Privilege Use | SeAuditPrivilege: Generate security audits | With this privilege, the user can add entries to the security log. |
-| Audit Sensitive Privilege Use | SeCreateTokenPrivilege: Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
-| Audit Sensitive Privilege Use | SeDebugPrivilege: Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
-| Audit Sensitive Privilege Use | SeImpersonatePrivilege: Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
-| Audit Sensitive Privilege Use | SeLoadDriverPrivilege: Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
-| Audit Sensitive Privilege Use | SeLockMemoryPrivilege: Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege: Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
-| Audit Sensitive Privilege Use | SeTcbPrivilege: Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
-| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege: Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege: Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | SeAuditPrivilege: Generate security audits | With this privilege, the user can add entries to the security log. |
+| Audit Sensitive Privilege Use | SeCreateTokenPrivilege: Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| Audit Sensitive Privilege Use | SeDebugPrivilege: Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| Audit Sensitive Privilege Use | SeImpersonatePrivilege: Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| Audit Sensitive Privilege Use | SeLoadDriverPrivilege: Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| Audit Sensitive Privilege Use | SeLockMemoryPrivilege: Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege: Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| Audit Sensitive Privilege Use | SeTcbPrivilege: Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
+| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege: Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
## Security Monitoring Recommendations
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index b4146f681a..5781254277 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -157,42 +157,42 @@ Failure event generates when operation attempt fails.
| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** |
|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege: Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege: Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
-| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege: Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
-| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege: Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
-| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege: Create symbolic links | Required to create a symbolic link. |
-| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege: Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
-| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege: Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
-| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege: Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
-| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege: Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege: Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
-| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege: Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
-| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege: Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
-| Audit Non Sensitive Privilege Use | SeRelabelPrivilege: Modify an object label | Required to modify the mandatory integrity level of an object. |
-| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege: Force shutdown from a remote system | Required to shut down a system using a network request. |
-| Audit Non Sensitive Privilege Use | SeShutdownPrivilege: Shut down the system | Required to shut down a local system. |
-| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege: Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
-| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege: Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
-| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege: Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
-| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege: Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
-| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege: Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
-| Audit Non Sensitive Privilege Use | SeUndockPrivilege: Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
+| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege: Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege: Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
+| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege: Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
+| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege: Create permanent shared objects | Required to create a permanent object. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
+| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege: Create symbolic links | Required to create a symbolic link. |
+| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege: Increase scheduling priority | Required to increase the base priority of a process. With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
+| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege: Adjust memory quotas for a process | Required to increase the quota assigned to a process. With this privilege, the user can change the maximum memory that can be consumed by a process. |
+| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege: Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
+| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege: Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege: Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
+| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege: Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
+| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege: Profile single process | Required to gather profiling information for a single process. With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
+| Audit Non Sensitive Privilege Use | SeRelabelPrivilege: Modify an object label | Required to modify the mandatory integrity level of an object. |
+| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege: Force shutdown from a remote system | Required to shut down a system using a network request. |
+| Audit Non Sensitive Privilege Use | SeShutdownPrivilege: Shut down the system | Required to shut down a local system. |
+| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege: Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
+| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege: Profile system performance | Required to gather profiling information for the entire system. With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
+| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege: Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
+| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege: Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
+| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege: Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
+| Audit Non Sensitive Privilege Use | SeUndockPrivilege: Remove computer from docking station | Required to undock a laptop. With this privilege, the user can undock a portable computer from its docking station without logging on. |
| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** |
|-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege: Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
-| Audit Sensitive Privilege Use | SeAuditPrivilege: Generate security audits | With this privilege, the user can add entries to the security log. |
-| Audit Sensitive Privilege Use | SeBackupPrivilege: Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
-| Audit Sensitive Privilege Use | SeCreateTokenPrivilege: Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
-| Audit Sensitive Privilege Use | SeDebugPrivilege: Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
-| Audit Sensitive Privilege Use | SeImpersonatePrivilege: Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
-| Audit Sensitive Privilege Use | SeLoadDriverPrivilege: Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
-| Audit Sensitive Privilege Use | SeLockMemoryPrivilege: Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
-| Audit Sensitive Privilege Use | SeRestorePrivilege: Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| Audit Sensitive Privilege Use | SeSecurityPrivilege: Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
-| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege: Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
-| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege: Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
+| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege: Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | SeAuditPrivilege: Generate security audits | With this privilege, the user can add entries to the security log. |
+| Audit Sensitive Privilege Use | SeBackupPrivilege: Back up files and directories | - Required to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held: READ\_CONTROL ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_READ FILE\_TRAVERSE |
+| Audit Sensitive Privilege Use | SeCreateTokenPrivilege: Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
+| Audit Sensitive Privilege Use | SeDebugPrivilege: Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
+| Audit Sensitive Privilege Use | SeImpersonatePrivilege: Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
+| Audit Sensitive Privilege Use | SeLoadDriverPrivilege: Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
+| Audit Sensitive Privilege Use | SeLockMemoryPrivilege: Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
+| Audit Sensitive Privilege Use | SeRestorePrivilege: Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held: WRITE\_DAC WRITE\_OWNER ACCESS\_SYSTEM\_SECURITY FILE\_GENERIC\_WRITE FILE\_ADD\_FILE FILE\_ADD\_SUBDIRECTORY DELETE With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| Audit Sensitive Privilege Use | SeSecurityPrivilege: Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
+| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege: Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
+| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege: Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
## Security Monitoring Recommendations
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 20ed1e1911..978d25bf39 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -1,6 +1,6 @@
---
title: 4675(S) SIDs were filtered. (Windows 10)
-description: Describes security event 4675(S) SIDs were filtered.
+description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 55ace9419d..4c48e4623a 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -1,6 +1,6 @@
---
title: 4688(S) A new process has been created. (Windows 10)
-description: Describes security event 4688(S) A new process has been created.
+description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -81,29 +81,29 @@ This event generates every time a new process starts.
- 1 - Windows Server 2012 R2, Windows 8.1.
- - Added “Process Command Line” field.
+ - Added "Process Command Line" field.
- 2 - Windows 10.
- **Subject** renamed to **Creator Subject**.
- - Added “**Target Subject**” section.
+ - Added "**Target Subject**" section.
- - Added “**Mandatory Label**” field.
+ - Added "**Mandatory Label**" field.
- - Added “**Creator Process Name**” field.
+ - Added "**Creator Process Name**" field.
***Field Descriptions:***
**Creator Subject** \[Value for versions 0 and 1 – **Subject**\]**:**
-- **Security ID** \[Type = SID\]**:** SID of account that requested the “create process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+- **Security ID** \[Type = SID\]**:** SID of account that requested the "create process" operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create process” operation.
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the "create process" operation.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
@@ -111,11 +111,11 @@ This event generates every time a new process starts.
- Uppercase full domain name: CONTOSO.LOCAL
- - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+ - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
**Target Subject** \[Version 2\]**:**
@@ -127,7 +127,7 @@ This event generates every time a new process starts.
- **Account Name** \[Type = UnicodeString\] \[Version 2\]**:** the name of the target account.
-- **Account Domain** \[Type = UnicodeString\] \[Version 2\]**:** target account’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\] \[Version 2\]**:** target account's domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
@@ -135,11 +135,11 @@ This event generates every time a new process starts.
- Uppercase full domain name: CONTOSO.LOCAL
- - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+ - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-- **Logon ID** \[Type = HexInt64\] \[Version 2\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+- **Logon ID** \[Type = HexInt64\] \[Version 2\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
**Process Information:**
@@ -173,11 +173,11 @@ This event generates every time a new process starts.
- **Creator Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the process which ran the new process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+> You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
- **Creator Process Name** \[Version 2\] \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-- **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable “Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events” group policy to include command line in process creation events:
+- **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable "Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events" group policy to include command line in process creation events:
@@ -189,28 +189,27 @@ For 4688(S): A new process has been created.
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the high-value account or accounts. |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Creator Subject\\Security ID”** and **“Target Subject\\Security ID”** for accounts that are outside the allow list. |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** to see whether the account type is as expected. |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** corresponding to accounts from another domain or “external” accounts. |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that you are concerned about. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** for names that don’t comply with naming conventions. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "whitelist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** for names that don't comply with naming conventions. |
-- If you have a pre-defined “**New** **Process Name**” or **“Creator Process Name**” for the process reported in this event, monitor all events with “**New** **Process Name**” or **“Creator Process Name**” not equal to your defined value.
+- If you have a pre-defined "**New** **Process Name**" or **"Creator Process Name**" for the process reported in this event, monitor all events with "**New** **Process Name**" or **"Creator Process Name**" not equal to your defined value.
-- You can monitor to see if “**New** **Process Name**” or **“Creator Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+- You can monitor to see if "**New** **Process Name**" or **"Creator Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-- If you have a pre-defined list of restricted substrings or words in process names (for example “**mimikatz**” or “**cain.exe**”), check for these substrings in “**New** **Process Name**” or **“Creator Process Name**.”
+- If you have a pre-defined list of restricted substrings or words in process names (for example "**mimikatz**" or "**cain.exe**"), check for these substrings in "**New** **Process Name**" or **"Creator Process Name**."
- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
-- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges.
- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
-- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the “**Mandatory Label**” in this event.
-
+- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index cf6f0fce07..81c27d0423 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -1,6 +1,6 @@
---
title: 4689(S) A process has exited. (Windows 10)
-description: Describes security event 4689(S) A process has exited.
+description: Describes security event 4689(S) A process has exited. This event is generates when a process exits.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 2742b717ce..a6f3256c16 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -1,6 +1,6 @@
---
title: 4698(S) A scheduled task was created. (Windows 10)
-description: Describes security event 4698(S) A scheduled task was created.
+description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -62,6 +62,17 @@ This event generates every time a new scheduled task is created.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index 280aad111e..48148e6246 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -1,6 +1,6 @@
---
title: 4699(S) A scheduled task was deleted. (Windows 10)
-description: Describes security event 4699(S) A scheduled task was deleted.
+description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -62,6 +62,17 @@ This event generates every time a scheduled task was deleted.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index a53997c7b8..8d39b0e38d 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -1,6 +1,6 @@
---
title: 4700(S) A scheduled task was enabled. (Windows 10)
-description: Describes security event 4700(S) A scheduled task was enabled.
+description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -62,6 +62,17 @@ This event generates every time a scheduled task is enabled.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index d1991b0941..ef24c397fc 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -1,6 +1,6 @@
---
title: 4701(S) A scheduled task was disabled. (Windows 10)
-description: Describes security event 4701(S) A scheduled task was disabled.
+description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -62,6 +62,17 @@ This event generates every time a scheduled task is disabled.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 01ef0250a8..393a0619d6 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -1,6 +1,6 @@
---
title: 4702(S) A scheduled task was updated. (Windows 10)
-description: Describes security event 4702(S) A scheduled task was updated.
+description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -62,6 +62,17 @@ This event generates every time scheduled task was updated/changed.
```
+>[!NOTE]
+> Windows 10 Versions 1903 and above augments the event with these additional properties:
+> Event Version 1.
+> ***Event XML:***
+>```
+> 5066549580796854
+> 3932
+> 5304
+> 0
+> DESKTOP-Name
+
***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index 9e2056f25d..7483483ea2 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -1,6 +1,6 @@
---
title: 4703(S) A user right was adjusted. (Windows 10)
-description: Describes security event 4703(S) A user right was adjusted.
+description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index 7db8499254..bc3e9d5c3a 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -1,6 +1,6 @@
---
title: 4704(S) A user right was assigned. (Windows 10)
-description: Describes security event 4704(S) A user right was assigned.
+description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index a89086caee..5b337c9941 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -1,6 +1,6 @@
---
title: 4705(S) A user right was removed. (Windows 10)
-description: Describes security event 4705(S) A user right was removed.
+description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index c566c246bf..2a57c47db5 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -1,6 +1,6 @@
---
title: 4706(S) A new trust was created to a domain. (Windows 10)
-description: Describes security event 4706(S) A new trust was created to a domain.
+description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index f998718c41..dc7e2f5419 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -1,6 +1,6 @@
---
title: 4707(S) A trust to a domain was removed. (Windows 10)
-description: Describes security event 4707(S) A trust to a domain was removed.
+description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index a4809630b7..69c6f2f153 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -1,6 +1,6 @@
---
title: 4713(S) Kerberos policy was changed. (Windows 10)
-description: Describes security event 4713(S) Kerberos policy was changed.
+description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index 4498dfe0fc..e634cf0bbf 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -1,6 +1,6 @@
---
title: 4719(S) System audit policy was changed. (Windows 10)
-description: Describes security event 4719(S) System audit policy was changed.
+description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index fffcee9e09..d18fd86200 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -1,6 +1,6 @@
---
title: 4720(S) A user account was created. (Windows 10)
-description: Describes security event 4720(S) A user account was created.
+description: Describes security event 4720(S) A user account was created. This event is generated a user object is created.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index 2029ba7eae..97a958aba9 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -1,6 +1,6 @@
---
title: 4722(S) A user account was enabled. (Windows 10)
-description: Describes security event 4722(S) A user account was enabled.
+description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index e1103b365e..c1bdc4c1f4 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -1,6 +1,6 @@
---
title: 4725(S) A user account was disabled. (Windows 10)
-description: Describes security event 4725(S) A user account was disabled.
+description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index 5d48cc9ae6..ae0997e85e 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -1,6 +1,6 @@
---
title: 4726(S) A user account was deleted. (Windows 10)
-description: Describes security event 4726(S) A user account was deleted.
+description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index e9761cde7b..3ad4e0bb93 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -1,6 +1,6 @@
---
title: 4738(S) A user account was changed. (Windows 10)
-description: Describes security event 4738(S) A user account was changed.
+description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -32,7 +32,7 @@ This event generates on domain controllers, member servers, and workstations.
For each change, a separate 4738 event will be generated.
-You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
+You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
Some changes do not invoke a 4738 event.
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index 9d9732a82c..644aa94187 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -1,6 +1,6 @@
---
title: 4739(S) Domain Policy was changed. (Windows 10)
-description: Describes security event 4739(S) Domain Policy was changed.
+description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index 95cdfe7ee6..68838caedf 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -1,6 +1,6 @@
---
title: 4740(S) A user account was locked out. (Windows 10)
-description: Describes security event 4740(S) A user account was locked out.
+description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index ef907d69b0..22809b4f8f 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -1,6 +1,6 @@
---
title: 4741(S) A computer account was created. (Windows 10)
-description: Describes security event 4741(S) A computer account was created.
+description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -242,7 +242,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“.
-- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation:
+- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation:
HOST/Win81.contoso.local
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index b39135ee00..0d9f50526b 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -1,6 +1,6 @@
---
title: 4742(S) A computer account was changed. (Windows 10)
-description: Describes security event 4742(S) A computer account was changed.
+description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -36,7 +36,7 @@ For each change, a separate 4742 event will be generated.
Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
-You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
+You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
@@ -243,7 +243,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here.
- Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots:
+ Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots:
HOST/Win81.contoso.local
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index 3fc25787d1..3cc90698fb 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -1,6 +1,6 @@
---
title: 4743(S) A computer account was deleted. (Windows 10)
-description: Describes security event 4743(S) A computer account was deleted.
+description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 28f41dff94..86df9d9645 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -1,6 +1,6 @@
---
title: 4764(S) A group's type was changed. (Windows 10)
-description: Describes security event 4764(S) A group’s type was changed.
+description: "Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed."
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index c5310d9f72..3ea2c4e756 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -1,6 +1,6 @@
---
title: 4765(S) SID History was added to an account. (Windows 10)
-description: Describes security event 4765(S) SID History was added to an account.
+description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index e5f3f71068..87baefbc54 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -1,6 +1,6 @@
---
title: 4767(S) A user account was unlocked. (Windows 10)
-description: Describes security event 4767(S) A user account was unlocked.
+description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index d8e637e093..af44f02711 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -1,6 +1,6 @@
---
title: 4771(F) Kerberos pre-authentication failed. (Windows 10)
-description: Describes security event 4771(F) Kerberos pre-authentication failed.
+description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index df9ff558e3..21a33e20a2 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -1,6 +1,6 @@
---
title: 4774(S, F) An account was mapped for logon. (Windows 10)
-description: Describes security event 4774(S, F) An account was mapped for logon.
+description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index 042f226a20..a48651e686 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -1,6 +1,6 @@
---
title: 4781(S) The name of an account was changed. (Windows 10)
-description: Describes security event 4781(S) The name of an account was changed.
+description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index e661f5ed3d..b0be9a0f3a 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -1,6 +1,6 @@
---
title: 4800(S) The workstation was locked. (Windows 10)
-description: Describes security event 4800(S) The workstation was locked.
+description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index 937d79b878..61e2682379 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -1,6 +1,6 @@
---
title: 4801(S) The workstation was unlocked. (Windows 10)
-description: Describes security event 4801(S) The workstation was unlocked.
+description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index 41f5ba4f6e..a00ead7497 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -1,6 +1,6 @@
---
title: 4802(S) The screen saver was invoked. (Windows 10)
-description: Describes security event 4802(S) The screen saver was invoked.
+description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index c50d78d76c..0354849e13 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -1,6 +1,6 @@
---
title: 4803(S) The screen saver was dismissed. (Windows 10)
-description: Describes security event 4803(S) The screen saver was dismissed.
+description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 4e45693aaa..3729924d93 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -1,6 +1,6 @@
---
title: 4826(S) Boot Configuration Data loaded. (Windows 10)
-description: Describes security event 4826(S) Boot Configuration Data loaded.
+description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index 62ced88fe8..5556b207b5 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -1,6 +1,6 @@
---
title: 4864(S) A namespace collision was detected. (Windows 10)
-description: Describes security event 4864(S) A namespace collision was detected.
+description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index 34454c6d14..6610d670eb 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -285,5 +285,5 @@ For 4907(S): Auditing settings on object were changed.
- If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**.
-- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers.
+- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers.
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index 847263668e..7573adb5f7 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -1,6 +1,6 @@
---
title: 4908(S) Special Groups Logon table modified. (Windows 10)
-description: Describes security event 4908(S) Special Groups Logon table modified.
+description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index 4e98d50f44..cf141b9a2d 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -1,6 +1,6 @@
---
title: 4912(S) Per User Audit Policy was changed. (Windows 10)
-description: Describes security event 4912(S) Per User Audit Policy was changed.
+description: Describes security event 4912(S) Per User Audit Policy was changed. This event is generated every time Per User Audit Policy is changed.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index 18964e5c16..c9e2159bc0 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -1,6 +1,6 @@
---
title: 4935(F) Replication failure begins. (Windows 10)
-description: Describes security event 4935(F) Replication failure begins.
+description: Describes security event 4935(F) Replication failure begins. This event is generated when Active Directory replication failure begins.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index 214811e890..d9d60e43be 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -1,6 +1,6 @@
---
title: 4936(S) Replication failure ends. (Windows 10)
-description: Describes security event 4936(S) Replication failure ends.
+description: Describes security event 4936(S) Replication failure ends. This event is generated when Active Directory replication failure ends.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index 43677f0e97..1f6c100b8d 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -1,6 +1,6 @@
---
title: 5039(-) A registry key was virtualized. (Windows 10)
-description: Describes security event 5039(-) A registry key was virtualized.
+description: Describes security event 5039(-) A registry key was virtualized. This event is generated when a registry key is virtualized using LUAFV.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index adfb677ffd..0bf8362113 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -1,6 +1,6 @@
---
title: 5051(-) A file was virtualized. (Windows 10)
-description: Describes security event 5051(-) A file was virtualized.
+description: Describes security event 5051(-) A file was virtualized. This event is generated when a file is virtualized using LUAFV.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index 508bb9d381..008ecb3292 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -1,6 +1,6 @@
---
title: 5058(S, F) Key file operation. (Windows 10)
-description: Describes security event 5058(S, F) Key file operation.
+description: Describes security event 5058(S, F) Key file operation. This event is generated when an operation is performed on a file that contains a KSP key.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index e3f73073f3..096fcfe2c9 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -1,6 +1,6 @@
---
title: 5059(S, F) Key migration operation. (Windows 10)
-description: Describes security event 5059(S, F) Key migration operation.
+description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index bd0414e3ca..96344c475f 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -1,6 +1,6 @@
---
title: 5060(F) Verification operation failed. (Windows 10)
-description: Describes security event 5060(F) Verification operation failed.
+description: Describes security event 5060(F) Verification operation failed. This event is generated in case of CNG verification operation failure.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index 271b5d582b..d283324906 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -1,6 +1,6 @@
---
title: 5061(S, F) Cryptographic operation. (Windows 10)
-description: Describes security event 5061(S, F) Cryptographic operation.
+description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index a4f705ba93..3d3d5152cc 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -145,7 +145,7 @@ For 5140(S, F): A network share object was accessed.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers.
+- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers.
- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index 858e4a608f..fdb2fe2741 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -1,6 +1,6 @@
---
title: 5142(S) A network share object was added. (Windows 10)
-description: Describes security event 5142(S) A network share object was added.
+description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -104,7 +104,7 @@ For 5142(S): A network share object was added.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers.
+- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers.
- We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information.
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index c7f46521ae..a62699a745 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -1,6 +1,6 @@
---
title: 5143(S) A network share object was modified. (Windows 10)
-description: Describes security event 5143(S) A network share object was modified.
+description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -259,5 +259,5 @@ For 5143(S): A network share object was modified.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers.
+- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers.
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 4c20a34092..581c19e3c9 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -1,6 +1,6 @@
---
title: 5144(S) A network share object was deleted. (Windows 10)
-description: Describes security event 5144(S) A network share object was deleted.
+description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -106,5 +106,5 @@ For 5144(S): A network share object was deleted.
- If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.**
-- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers.
+- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers.
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index 9889690df3..fcc35ba385 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -1,6 +1,6 @@
---
title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10)
-description: Describes security event 5168(F) SPN check for SMB/SMB2 failed.
+description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index 396bf6af15..ca5e8e02d6 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -1,6 +1,6 @@
---
title: 6407(-) 1%. (Windows 10)
-description: Describes security event 6407(-) 1%.
+description: Describes security event 6407(-) 1%. This is a BranchCache event, which is outside the scope of this document.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index 37b3ec6aaf..2ede6f7fce 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -1,6 +1,6 @@
---
title: 6420(S) A device was disabled. (Windows 10)
-description: Describes security event 6420(S) A device was disabled.
+description: Describes security event 6420(S) A device was disabled. This event is generated when a specific device is disabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index 5c4de3d822..606f0228a6 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -1,6 +1,6 @@
---
title: 6422(S) A device was enabled. (Windows 10)
-description: Describes security event 6422(S) A device was enabled.
+description: Describes security event 6422(S) A device was enabled. This event is generated when a specific device is enabled.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md
index 5a7b38d9c1..42a1f36edd 100644
--- a/windows/security/threat-protection/auditing/other-events.md
+++ b/windows/security/threat-protection/auditing/other-events.md
@@ -1,6 +1,6 @@
---
title: Other Events (Windows 10)
-description: Describes the Other Events auditing subcategory.
+description: Describes the Other Events auditing subcategory, which includes events that are generated automatically and enabled by default.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index bddb29f760..2bc61ffce1 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -2,7 +2,6 @@
title: Plan and deploy advanced security audit policies (Windows 10)
description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies.
ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
-
ms.reviewer:
ms.author: dansimp
ms.prod: w10
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index d6788c3add..add9bc1309 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -8,7 +8,6 @@ ms.pagetype: security
ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
-ms.date: 10/04/2019
ms.reviewer: dansimp
manager: dansimp
audience: ITPro
@@ -23,7 +22,7 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
2. Configure to allow or block only certain removable devices and prevent threats.
- 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
+ 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
@@ -98,35 +97,37 @@ In this example, the following classes needed to be added: HID, Keyboard, and {3
-If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. To find the vendor or product IDs, see [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id).
+If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. Device ID is based on the vendor ID and product ID values for a device. For information on device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
+
+To find the device IDs, see [Look up device ID](#look-up-device-id).
For example:
1. Remove class USBDevice from the **Allow installation of devices using drivers that match these device setup**.
-2. Add the vendor ID or product ID to allow in the **Allow installation of device that match any of these device IDs**.
+2. Add the device ID to allow in the **Allow installation of device that match any of these device IDs**.
#### Prevent installation and usage of USB drives and other peripherals
If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies:
-1. Enable **Prevent installation of devices that match any of these device IDs**.
+1. Enable **Prevent installation of devices that match any of these device IDs** and add these devices to the list.
2. Enable **Prevent installation of devices using drivers that match these device setup classes**.
> [!Note]
> The prevent device installation policies take precedence over the allow device installation policies.
-The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of vendor or product IDs for devices that Windows is prevented from installing.
+The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of devices that Windows is prevented from installing.
To prevent installation of devices that match any of these device IDs:
-1. [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id) for devices that you want Windows to prevent from installing.
+1. [Look up device ID](#look-up-device-id) for devices that you want Windows to prevent from installing.
2. Enable **Prevent installation of devices that match any of these device IDs** and add the vendor or product IDs to the list.
-#### Look up device vendor ID or product ID
-You can use Device Manager to look up a device vendor or product ID.
+#### Look up device ID
+You can use Device Manager to look up a device ID.
1. Open Device Manager.
2. Click **View** and select **Devices by connection**.
@@ -135,11 +136,11 @@ You can use Device Manager to look up a device vendor or product ID.
5. Click the **Property** drop-down list and select **Hardware Ids**.
6. Right-click the top ID value and select **Copy**.
-For information on vendor and product ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
+For information about Device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
For information on vendor IDs, see [USB members](https://www.usb.org/members).
-The following is an example for looking up a device vendor ID or product ID using PowerShell:
+The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell:
``` PowerShell
Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
index 7cdda06143..3ebdf7bf95 100644
--- a/windows/security/threat-protection/device-guard/memory-integrity.md
+++ b/windows/security/threat-protection/device-guard/memory-integrity.md
@@ -1,9 +1,8 @@
---
title: Memory integrity
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
-description: Memory integrity.
+description: Learn about memory integrity, a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 725e9d2023..d594900ce7 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
+| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. • UEFI runtime service must meet these requirements: • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. • PE sections need to be page-aligned in memory (not required for in non-volitile storage). • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and executable • Do not attempt to directly modify executable system memory • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. • UEFI runtime service must meet these requirements: • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. • PE sections need to be page-aligned in memory (not required for in non-volitile storage). • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and executable • Do not attempt to directly modify executable system memory • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 7bc3af8993..262058bf1d 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -102,10 +102,10 @@ Validated Editions: Home, Pro, Enterprise, Education
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
Version 10.0.15063
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434
Version 7.00.2872
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433
Version 8.00.6246
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
-
CTR ( int only; 128 , 192 , 256 )
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
+
CTR ( int only; 128 , 192 , 256 )
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431
Version 7.00.2872
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
-
CTR ( int only; 128 , 192 , 256 )
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
+
CTR ( int only; 128 , 192 , 256 )
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430
Version 8.00.6246
-
CBC ( e/d; 128 , 192 , 256 );
-
CFB128 ( e/d; 128 , 192 , 256 );
-
OFB ( e/d; 128 , 192 , 256 );
-
CTR ( int only; 128 , 192 , 256 )
+
CBC ( e/d; 128 , 192 , 256 );
+
CFB128 ( e/d; 128 , 192 , 256 );
+
OFB ( e/d; 128 , 192 , 256 );
+
CTR ( int only; 128 , 192 , 256 )
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
Version 10.0.14393
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
-
CFB8 ( e/d; 128 , 192 , 256 );
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
+
CFB8 ( e/d; 128 , 192 , 256 );
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
Version 10.0.10586
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
-
CFB8 ( e/d; 128 , 192 , 256 );
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
+
CFB8 ( e/d; 128 , 192 , 256 );
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
Version 10.0.10586
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
Version 10.0.10240
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
-
CFB8 ( e/d; 128 , 192 , 256 );
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
+
CFB8 ( e/d; 128 , 192 , 256 );
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
Version 10.0.10240
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
-
CFB8 ( e/d; 128 , 192 , 256 );
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
+
CFB8 ( e/d; 128 , 192 , 256 );
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
-
CFB8 ( e/d; 128 , 192 , 256 );
-
CFB128 ( e/d; 128 , 192 , 256 );
-
CTR ( int only; 128 , 192 , 256 )
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
+
CFB8 ( e/d; 128 , 192 , 256 );
+
CFB128 ( e/d; 128 , 192 , 256 );
+
CTR ( int only; 128 , 192 , 256 )
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197
-
ECB ( e/d; 128 , 192 , 256 );
-
CBC ( e/d; 128 , 192 , 256 );
-
CFB8 ( e/d; 128 , 192 , 256 );
+
ECB ( e/d; 128 , 192 , 256 );
+
CBC ( e/d; 128 , 192 , 256 );
+
CFB8 ( e/d; 128 , 192 , 256 );
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: #1903
DRBG: #258
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
SHS: #1902
DRBG: #258
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
-
FIPS186-2:
-SIG(ver) MOD(1024);
+
FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 1773
DRBG: Val# 193
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
@@ -3265,16 +3265,16 @@ Some of the previously validated components for this validation have been remove
Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385
-
FIPS186-2:
-SIG(ver) MOD(1024);
+
FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 753
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.
FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 784
RNG: Val# 448
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
-
FIPS186-2:
-SIG(ver) MOD(1024);
+
FIPS186-2:
+SIG(ver) MOD(1024);
SHS: Val# 783
RNG: Val# 447
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: #1903
+DRBG: #258
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341
FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#1773
+DRBG: Val# 193
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.
Windows Server 2008 R2 and SP1 CNG algorithms #142
FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#753
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.
FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36
-
KAS (SP 800–56A)
+
KAS (SP 800–56A)
key agreement
key establishment methodology provides 80 to 256 bits of encryption strength
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
@@ -5087,34 +5087,34 @@ Random Number Generator (RNG)
-
Modes / States / Key Sizes
-
Algorithm Implementation and Certificate #
+
Modes / States / Key Sizes
+
Algorithm Implementation and Certificate #
-
FIPS 186-2 General Purpose
-
[ (x-Original); (SHA-1) ]
+
FIPS 186-2 General Purpose
+
[ (x-Original); (SHA-1) ]
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
-
FIPS 186-2
-[ (x-Original); (SHA-1) ]
+
FIPS 186-2
+[ (x-Original); (SHA-1) ]
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292
Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286
Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66
-
FIPS 186-2
-[ (x-Change Notice); (SHA-1) ]
-
FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ]
+
FIPS 186-2
+[ (x-Change Notice); (SHA-1) ]
+
FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ]
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649
Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195
soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
-
FIPS186-2:
-ALG[ANSIX9.31]:
+
FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.
Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.
Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.
Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
-
FIPS186-2:
+
FIPS186-2:
ALG[ANSIX9.31]:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
-
FIPS186-2:
-ALG[ANSIX9.31]:
+
FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.
Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.
Windows Vista RSA key generation implementation #258
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.
Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
-
FIPS186-2:
-ALG[ANSIX9.31]:
+
FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
-
FIPS186-2:
-ALG[ANSIX9.31]:
+
FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
-
FIPS186-2:
-ALG[ANSIX9.31]:
+
FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.
Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
-
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]:
+
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]:
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
-
FIPS186-2:
-ALG[ANSIX9.31]:
+
FIPS186-2:
+ALG[ANSIX9.31]:
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52
-
FIPS186-2:
+
FIPS186-2:
– PKCS#1 v1.5, signature generation and verification
– Mod sizes: 1024, 1536, 2048, 3072, 4096
– SHS: SHA–1/256/384/512
@@ -6143,8 +6143,8 @@ Some of the previously validated components for this validation have been remove
-
Modes / States / Key Sizes
-
Algorithm Implementation and Certificate #
+
Modes / States / Key Sizes
+
Algorithm Implementation and Certificate #
@@ -6213,170 +6213,170 @@ Some of the previously validated components for this validation have been remove
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
Version 10.0.14393
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
Version 10.0.10586
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
Version 10.0.10586
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
Version 10.0.10240
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
Version 10.0.10240
Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
Version 6.3.9600
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
Version 6.3.9600
-
SHA-1 (BYTE-only)
-
SHA-256 (BYTE-only)
-
SHA-384 (BYTE-only)
-
SHA-512 (BYTE-only)
+
SHA-1 (BYTE-only)
+
SHA-256 (BYTE-only)
+
SHA-384 (BYTE-only)
+
SHA-512 (BYTE-only)
Implementation does not support zero-length (null) messages.
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902
Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32
@@ -6417,8 +6417,8 @@ Version 6.3.9600
-
Modes / States / Key Sizes
-
Algorithm Implementation and Certificate #
+
Modes / States / Key Sizes
+
Algorithm Implementation and Certificate #
@@ -6499,112 +6499,112 @@ Version 6.3.9600
Version 10.0.16299
-
TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )
+
TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )
Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459
Version 10.0.15063
-
TECB( KO 1 e/d, ) ;
-
TCBC( KO 1 e/d, )
+
TECB( KO 1 e/d, ) ;
+
TCBC( KO 1 e/d, )
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384
Version 8.00.6246
-
TECB( KO 1 e/d, ) ;
-
TCBC( KO 1 e/d, )
+
TECB( KO 1 e/d, ) ;
+
TCBC( KO 1 e/d, )
Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383
Version 8.00.6246
-
TECB( KO 1 e/d, ) ;
-
TCBC( KO 1 e/d, ) ;
-
CTR ( int only )
+
TECB( KO 1 e/d, ) ;
+
TCBC( KO 1 e/d, ) ;
+
CTR ( int only )
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382
Version 7.00.2872
-
TECB( KO 1 e/d, ) ;
-
TCBC( KO 1 e/d, )
+
TECB( KO 1 e/d, ) ;
+
TCBC( KO 1 e/d, )
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381
Version 8.00.6246
-
TECB( KO 1 e/d, ) ;
-
TCBC( KO 1 e/d, ) ;
-
TCFB8( KO 1 e/d, ) ;
-
TCFB64( KO 1 e/d, )
+
TECB( KO 1 e/d, ) ;
+
TCBC( KO 1 e/d, ) ;
+
TCFB8( KO 1 e/d, ) ;
+
TCFB64( KO 1 e/d, )
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
Version 10.0.14393
-
TECB( KO 1 e/d, ) ;
-
TCBC( KO 1 e/d, ) ;
-
TCFB8( KO 1 e/d, ) ;
-
TCFB64( KO 1 e/d, )
+
TECB( KO 1 e/d, ) ;
+
TCBC( KO 1 e/d, ) ;
+
TCFB8( KO 1 e/d, ) ;
+
TCFB64( KO 1 e/d, )
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
Version 10.0.10586
-
TECB( KO 1 e/d, ) ;
-
TCBC( KO 1 e/d, ) ;
-
TCFB8( KO 1 e/d, ) ;
-
TCFB64( KO 1 e/d, )
+
TECB( KO 1 e/d, ) ;
+
TCBC( KO 1 e/d, ) ;
+
TCFB8( KO 1 e/d, ) ;
+
TCFB64( KO 1 e/d, )
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
Version 10.0.10240
-
TECB( KO 1 e/d, ) ;
-
TCBC( KO 1 e/d, ) ;
-
TCFB8( KO 1 e/d, ) ;
-
TCFB64( KO 1 e/d, )
+
TECB( KO 1 e/d, ) ;
+
TCBC( KO 1 e/d, ) ;
+
TCFB8( KO 1 e/d, ) ;
+
TCFB64( KO 1 e/d, )
Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692
Version 6.3.9600
-
TECB( e/d; KO 1,2 ) ;
-
TCBC( e/d; KO 1,2 ) ;
-
TCFB8( e/d; KO 1,2 ) ;
-
TCFB64( e/d; KO 1,2 )
+
TECB( e/d; KO 1,2 ) ;
+
TCBC( e/d; KO 1,2 ) ;
+
TCFB8( e/d; KO 1,2 ) ;
+
TCFB64( e/d; KO 1,2 )
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387
-
TECB( e/d; KO 1,2 ) ;
-
TCBC( e/d; KO 1,2 ) ;
-
TCFB8( e/d; KO 1,2 )
+
TECB( e/d; KO 1,2 ) ;
+
TCBC( e/d; KO 1,2 ) ;
+
TCFB8( e/d; KO 1,2 )
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386
-
TECB( e/d; KO 1,2 ) ;
-
TCBC( e/d; KO 1,2 ) ;
-
TCFB8( e/d; KO 1,2 )
+
TECB( e/d; KO 1,2 ) ;
+
TCBC( e/d; KO 1,2 ) ;
+
TCFB8( e/d; KO 1,2 )
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846
-
TECB( e/d; KO 1,2 ) ;
-
TCBC( e/d; KO 1,2 ) ;
-
TCFB8( e/d; KO 1,2 )
+
TECB( e/d; KO 1,2 ) ;
+
TCBC( e/d; KO 1,2 ) ;
+
TCFB8( e/d; KO 1,2 )
Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656
-
TECB( e/d; KO 1,2 ) ;
-
TCBC( e/d; KO 1,2 ) ;
-
TCFB8( e/d; KO 1,2 )
+
TECB( e/d; KO 1,2 ) ;
+
TCBC( e/d; KO 1,2 ) ;
+
TCFB8( e/d; KO 1,2 )
Windows Vista Symmetric Algorithm Implementation #549
-
Triple DES MAC
+
Triple DES MAC
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed
-
TECB( e/d; KO 1,2 ) ;
-
TCBC( e/d; KO 1,2 )
+
TECB( e/d; KO 1,2 ) ;
+
TCBC( e/d; KO 1,2 )
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691
@@ -6636,15 +6636,15 @@ Version 6.3.9600
- Modes / States / Key Sizes
+ Modes / States / Key Sizes
- Algorithm Implementation and Certificate #
+ Algorithm Implementation and Certificate #
- PBKDF (vendor affirmed)
+ PBKDF (vendor affirmed)
Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937 (Software Version: 10.0.14393)
Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936 (Software Version: 10.0.14393)
@@ -6654,7 +6654,7 @@ Version 6.3.9600
- PBKDF (vendor affirmed)
+ PBKDF (vendor affirmed)
Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936 (Software Version: 10.0.14393)
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed
@@ -6672,8 +6672,8 @@ Version 6.3.9600
-
Publication / Component Validated / Description
-
Implementation and Certificate #
+
Publication / Component Validated / Description
+
Implementation and Certificate #
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 3d52254721..b4f683756c 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,7 +1,7 @@
---
title: Threat Protection (Windows 10)
-description: Learn how Microsoft Defender ATP helps protect against threats.
-keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
+description: Microsoft Defender Advanced Threat Protection is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
+keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -27,7 +27,7 @@ ms.topic: conceptual
@@ -77,8 +77,8 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+**[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
+To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus)
@@ -135,7 +135,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
- [API and SIEM integration](microsoft-defender-atp/configure-siem.md)
- [Exposed APIs](microsoft-defender-atp/apis-intro.md)
- [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md)
-- [Reporting and trends](microsoft-defender-atp/powerbi-reports.md)
+- [Reporting and trends](microsoft-defender-atp/threat-protection-reports.md)
**[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)**
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
index 52771c8630..2584ee9200 100644
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -31,7 +31,7 @@ Many infections start with:
Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources.
-Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners are not wanted in enterprise environments because they eat up precious computing resources.
+Coin miners aren't inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners aren't wanted in enterprise environments because they eat up precious computing resources.
Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people’s computing resources.
@@ -41,12 +41,12 @@ DDE exploits, which have been known to distribute ransomware, are now delivering
For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.
-The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency.
+The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A). It downloads the trojanized miner, a modified version of the miner XMRig, which then mines Monero cryptocurrency.
## How to protect against coin miners
-**Enable PUA detection**: Some coin mining tools are not considered malware but are detected as potentially unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
+**Enable potentially unwanted applications (PUA) detection**. Some coin mining tools aren't considered malware but are detected as PUA. Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
-Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
+Since coin miners are becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/).
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index fef7da884b..6a3a933a3f 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -20,20 +20,20 @@ ms.topic: article
Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
-CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective communities, customers, and businesses.
+CME calls for organizations to pool their tools, information, and actions to drive coordinated campaigns against malware. The goal is to drive efficient and long-lasting results to better protect our communities, customers, and businesses.
## Combining our tools, information, and actions
-Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. For instance, while security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry, online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
+Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. Security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry. Online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
-In addition to telemetry and analysis data, Microsoft is planning to contribute cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in to these campaigns.
+Microsoft is planning to contribute telemetry and analysis data to these campaigns. It will also provide cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in.
## Coordinated campaigns for lasting results
-Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can initiate a campaign and invite others to join it. The members then have the option to accept or decline the invitations they receive.
+Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can start a campaign and invite others to join it. The members can then accept or decline the invitations they receive.
## Join the effort
-Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
+Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). Everyone agrees to use the available information and tools for their intended purpose (that is, the eradication of malware).
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For any questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 74c19eb50f..77a3c4e33d 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -1,7 +1,7 @@
---
title: How Microsoft identifies malware and potentially unwanted applications
ms.reviewer:
-description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it is malware or a potentially unwanted application.
+description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application.
keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
ms.prod: w10
ms.mktglfcycl: secure
@@ -18,7 +18,7 @@ search.appverid: met150
# How Microsoft identifies malware and potentially unwanted applications
-Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you are protected against known threats and warned about software that is unknown to us.
+Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You are also warned about software that is unknown to us.
You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)
@@ -29,9 +29,9 @@ The next sections provide an overview of the classifications we use for applicat
## Unknown – Unrecognized software
-No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously being updated and released, it's impossible to have information about every single site and program.
+No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously updated and released, it's impossible to have information about every single site and program.
-You can think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware, as there is generally a delay from the time new malware is released until it is identified. Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Warnings for unknown software are not blocks, and users can choose to download and run the application normally if they wish to.
+Think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware. There's generally a delay from the time new malware is released until it's identified. Not all uncommon programs are malicious, but the risk in the unknown category is much higher for the typical user. Warnings for unknown software aren't blocks. Users can choose to download and run the application normally if they wish to.
Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software.
@@ -61,11 +61,11 @@ Microsoft classifies most malicious software into one of the following categorie
* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
-* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
+* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services.
-* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
+* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate to tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.
@@ -73,17 +73,17 @@ Microsoft classifies most malicious software into one of the following categorie
### Unwanted software
-Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
+Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that doesn't fully demonstrate these behaviors as "unwanted software".
#### Lack of choice
-You must be notified about what is happening on your device, including what software does and whether it is active.
+You must be notified about what is happening on your device, including what software does and whether it's active.
Software that exhibits lack of choice might:
* Fail to provide prominent notice about the behavior of the software and its purpose and intent.
-* Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
+* Fail to clearly indicate when the software is active. It might also attempt to hide or disguise its presence.
* Install, reinstall, or remove software without your permission, interaction, or consent.
@@ -93,7 +93,7 @@ Software that exhibits lack of choice might:
* Falsely claim to be software from Microsoft.
-Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
+Software must not mislead or coerce you into making decisions about your device. It is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
* Display exaggerated claims about your device's health.
@@ -103,7 +103,7 @@ Software must not mislead or coerce you into making decisions about your device.
Software that stores or transmits your activities or data must:
-* Give you notice and get consent to do so. Software should not include an option that configures it to hide activities associated with storing or transmitting your data.
+* Give you notice and get consent to do so. Software shouldn't include an option that configures it to hide activities associated with storing or transmitting your data.
#### Lack of control
@@ -119,7 +119,7 @@ Software that exhibits lack of control might:
* Modify or manipulate webpage content without your consent.
-Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are considered non-extensible and should not be modified.
+Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered non-extensible and shouldn't be modified.
#### Installation and removal
diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
index 1a57f85019..3cb57c45ef 100644
--- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
+++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
@@ -38,6 +38,6 @@ Go to the [MVI program page](virus-initiative-criteria.md) for more information.
CME is open to organizations who are involved in cybersecurity and antimalware or interested in fighting cybercrime.
-The program aims to bring organizations in cybersecurity and other industries together to pool tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our collective communities, customers, and businesses.
+The program aims to bring organizations in cybersecurity and other industries together to pool tools, information, and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our communities, customers, and businesses.
Go to the [CME program page](coordinated-malware-eradication.md) for more information.
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
index e3d47a044c..06734edb7a 100644
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@@ -23,19 +23,19 @@ This page provides answers to common questions we receive from software develope
## Does Microsoft accept files for a known list or false-positive prevention program?
-No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers.
+No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers.
## How do I dispute the detection of my program?
Submit the file in question as a software developer. Wait until your submission has a final determination.
-If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
+If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
## Why is Microsoft asking for a copy of my program?
-This can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
+Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
## Why does Microsoft classify my installer as a software bundler?
@@ -43,8 +43,8 @@ It contains instructions to offer a program classified as unwanted software. You
## Why is the Windows Defender Firewall blocking my program?
-This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security).
+Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security).
-## Why does the Microsoft Defender SmartScreen say my program is not commonly downloaded?
+## Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded?
-This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
+This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md
index 19d1a76072..eb0ac99896 100644
--- a/windows/security/threat-protection/intelligence/developer-info.md
+++ b/windows/security/threat-protection/intelligence/developer-info.md
@@ -26,4 +26,4 @@ Learn about the common questions we receive from software developers and get oth
Topic | Description
:---|:---
[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers.
-[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest security intelligence and cloud protection from Microsoft.
+[Developer resources](developer-resources.md) | Provides information about how to submit files and the detection criteria. Learn how to check your software against the latest security intelligence and cloud protection from Microsoft.
diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md
index beff687643..c7b63fd5fd 100644
--- a/windows/security/threat-protection/intelligence/exploits-malware.md
+++ b/windows/security/threat-protection/intelligence/exploits-malware.md
@@ -1,7 +1,7 @@
---
title: Exploits and exploit kits
ms.reviewer:
-description: Learn about how exploits use vulnerabilities in common software to give an attackers access to your computer and to install other malware.
+description: Learn about how exploits use vulnerabilities in common software to give attackers access to your computer and install other malware.
keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center
ms.prod: w10
ms.mktglfcycl: secure
@@ -21,17 +21,17 @@ Exploits take advantage of vulnerabilities in software. A vulnerability is like
## How exploits and exploit kits work
-Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include what's called "shellcode". This is a small malware payload that's used to download additional malware from attacker-controlled networks. This allows hackers to infect devices and infiltrate organizations.
+Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include shellcode, which is a small malware payload used to download additional malware from attacker-controlled networks. Shellcode allows hackers to infect devices and infiltrate organizations.
-Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploys additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java and Sun Java.
+Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java.
The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads.
-The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage is visited.
+The infographic below shows how an exploit kit might attempt to exploit a device after you visit a compromised webpage.
-
+
-*Figure 1. Example of how exploit kits work*
+*Figure 1. Example of how to exploit kits work*
Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.
@@ -56,6 +56,6 @@ You can read more on the [CVE website](https://cve.mitre.org/).
## How to protect against exploits
-The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities and making sure these updates are applied to all devices is an important step to prevent malware.
+The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities, so make sure these updates are applied to all devices.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index bc3ecd48d1..6ae2dcfe4c 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -2,7 +2,7 @@
title: Fileless threats
ms.reviewer:
description: Learn about the categories of fileless threats and malware that "live off the land"
-keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next generation protection
+keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
@@ -18,9 +18,9 @@ search.appverid: met150
# Fileless threats
-What exactly are fileless threats? The term "fileless" suggests that a threat does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition for fileless malware. The term is used broadly; it's also used to describe malware families that do rely on files to operate.
+What exactly are fileless threats? The term "fileless" suggests that a threat doesn't come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no one definition for fileless malware. The term is used broadly, and sometimes to describe malware families that do rely on files to operate.
-Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form.
+Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft. Some parts of the attack chain may be fileless, while others may involve the file system in some form.
For clarity, fileless threats are grouped into different categories.
@@ -29,42 +29,42 @@ For clarity, fileless threats are grouped into different categories.
Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts.
-Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are sub-categories of the execution vector.
+Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are subcategories of the execution vector.
-Finally, classify the host of the infection. For example, a Flash application that may contain an exploit, a simple executable, malicious firmware from a hardware device, or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads.
+Finally, classify the host of the infection. For example, a Flash application may contain a variety of threats such as an exploit, a simple executable, and malicious firmware from a hardware device.
-This helps you divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced.
+Classifying helps you divide and categorize the various kinds of fileless threats. Some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced.
From this categorization, you can glean three main types of fileless threats based on how much fingerprint they may leave on infected machines.
## Type I: No file activity performed
-A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
+A fully fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? One example is where a target machine receives malicious network packets that exploit the EternalBlue vulnerability. The vulnerability allows the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there's no file or any data written on a file.
-Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls.
+A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples don't require a file on the disk to run, and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls.
-Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
+Infections of this type can be extra difficult deal with because antivirus products usually don’t have the capability to inspect firmware. Even if they did, it would be extremely challenging to detect and remediate threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It’s not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks.
## Type II: Indirect file activity
-There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
+There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. For example, with the [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run the command periodically.
-It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed.
+It’s possible to carry out such installation via command line without requiring a backdoor to already be on the file. The malware can be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file in a central storage area managed by the CIM Object Manager, and usually contains legitimate data. Even though the infection chain does technically use a physical file, it’s considered a fileless attack because the WMI repository is a multi-purpose data container that can't be detected and removed.
## Type III: Files required to operate
-Some malware can have some sort of fileless persistence but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
+Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
*Figure 2. Kovter’s registry key*
-When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.
+When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts.
-Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present.
+Kovter is considered a fileless threat because the file system is of no practical use. The files with random extensions contain junk data that isn't usable in verifying the presence of the threat. The files that store the registry are containers that can't be detected and deleted if malicious content is present.
## Categorizing fileless threats by infection host
-Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.
+Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware doesn't get the upper hand in the arms race.
### Exploits
@@ -76,26 +76,28 @@ Having described the broad categories, we can now dig into the details and provi
**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. Software residing and running in the chipset of a device is called firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/).
-**CPU-based** (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/) bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution.
+**CPU-based** (Type I): Modern CPUs are complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/), bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off.
-**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will.
+Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. It has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution.
-**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/).
+**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. For example, the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/) allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will.
-**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date.
+**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. The BIOS is an important component that operates at a low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/).
+
+**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although few are known to date.
### Execution and injection
-**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes.
+**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory, or injected into other legitimate running processes.
-**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
+**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe) and implemented in a scripting language. There's no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
-**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: they are textual files (not binary executables) and run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt.
+**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros, they are textual files (not binary executables) and run within the context of the interpreter (like wscript.exe, powershell.exe), which is a clean and legitimate component. Scripts are versatile and can be run from a file (by double-clicking them) or executed directly on the command line of an interpreter. Running on the command line allows malware to encode malicious scripts as autostart services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt.
-**Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it.
+**Disk-based** (Type II: Boot Record): The Boot Record is the first sector of a disk or volume, and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code. When the machine is booted, the malware immediately gains control. The Boot Record resides outside the file system, but it’s accessible by the operating system. Modern antivirus products have the capability to scan and restore it.
## Defeating fileless malware
-At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md
index a8950a6977..1814307aac 100644
--- a/windows/security/threat-protection/intelligence/index.md
+++ b/windows/security/threat-protection/intelligence/index.md
@@ -1,6 +1,6 @@
---
title: Security intelligence
-description: Safety tips about malware and how you can protect your organization
+description: Learn about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs.
keywords: security, malware
ms.prod: w10
ms.mktglfcycl: secure
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
index ec97b244a7..b6f4a2b873 100644
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -21,18 +21,18 @@ Macros are a powerful way to automate common tasks in Microsoft Office and can m
## How macro malware works
-Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.
+Macro malware hides in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.
-Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware authors need to convince users to turn on macros so that their malware can run. They do this by showing fake warnings when a malicious document is opened.
+Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. In recent versions of Microsoft Office, macros are disabled by default. Now, malware authors need to convince users to turn on macros so that their malware can run. They try to scare users by showing fake warnings when a malicious document is opened.
We've seen macro malware download threats from the following families:
-* [Ransom:MSIL/Swappa](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A)
-* [Ransom:Win32/Teerac](Ransom:Win32/Teerac)
-* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
-* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif)
-* [Win32/Fynloski](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
-* [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
+* [Ransom:MSIL/Swappa](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A)
+* [Ransom:Win32/Teerac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789)
+* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
+* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif)
+* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
+* [Worm:Win32/Gamarue](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
## How to protect against macro malware
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index 001d356c59..d920870809 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -21,7 +21,7 @@ We name the malware and unwanted software that we detect according to the Comput
-When our analysts research a particular threat, they will determine what each of the components of the name will be.
+When our analysts research a particular threat, they'll determine what each of the components of the name will be.
## Type
@@ -61,7 +61,7 @@ Describes what the malware does on your computer. Worms, viruses, trojans, backd
## Platforms
-Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work on. The platform is also used to indicate programming languages and file formats.
+Platforms indicate the operating system (such as Windows, masOS X, and Android) the malware is designed to work on. The platform is also used to indicate programming languages and file formats.
### Operating systems
@@ -71,8 +71,8 @@ Indicates the operating system (such as Windows, Mac OS X, and Android) that the
* FreeBSD: FreeBSD platform
* iPhoneOS: iPhone operating system
* Linux: Linux platform
-* MacOS: MAC 9.x platform or earlier
-* MacOS_X: MacOS X or later
+* macOS: MAC 9.x platform or earlier
+* macOS_X: MacOS X or later
* OS2: OS2 platform
* Palm: Palm operating system
* Solaris: System V-based Unix platforms
@@ -105,11 +105,11 @@ Indicates the operating system (such as Windows, Mac OS X, and Android) that the
* INF: Install scripts
* IRC: mIRC/pIRC scripts
* Java: Java binaries (classes)
-* JS: Javascript scripts
+* JS: JavaScript scripts
* LOGO: LOGO scripts
* MPB: MapBasic scripts
* MSH: Monad shell scripts
-* MSIL: .Net intermediate language scripts
+* MSIL: .NET intermediate language scripts
* Perl: Perl scripts
* PHP: Hypertext Preprocessor scripts
* Python: Python scripts
@@ -125,7 +125,7 @@ Indicates the operating system (such as Windows, Mac OS X, and Android) that the
* A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
* HE: macro scripting
-* O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
+* O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and PowerPoint
* PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
* V5M: Visio5 macros
* W1M: Word1Macro
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 4f5d3c7278..cfc9140745 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -18,59 +18,90 @@ search.appverid: met150
# Phishing
-Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication that often look to be official communication from legitimate companies or individuals.
+Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals.
-The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be user names and passwords, credit card details, bank account information, or other credentials. Attackers can then use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces.
+Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets.
+
+## What to do if you've been a victim of a phishing scam
+
+If you feel you've been a victim of a phishing attack:
+
+1. Contact your IT admin if you are on a work computer.
+2. Immediately change all passwords associated with the accounts.
+3. Report any fraudulent activity to your bank and credit card company.
+
+### Reporting spam
+
+- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.
+
+- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
+
+- **Microsoft**: Create a new, blank email message with the one of the following recipients:
+ - Junk: junk@office365.microsoft.com
+ - Phishing: phish@office365.microsoft.com
+
+ Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
+
+- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
+
+If you’re on a suspicious website:
+
+- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.
+
+- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.
+
+>[!NOTE]
+>For more information, see [Protect yourself from phishing](https://support.microsoft.com/en-us/help/4033787/windows-protect-yourself-from-phishing).
## How phishing works
-Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season, bait content involves tax-filing announcements that attempt to lure you into providing your personal information such as your Social Security number or bank account information.
+Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season bait content can be tax-filing announcements that attempt to lure you into providing personal information such as your SSN or bank account information.
-Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign-in pages that require users to input login credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
+Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
-Another common phishing technique is the use of emails that direct you to open a malicious attachment, for example a PDF file. The attachment often contains a message asking you to provide login credentials to another site such as email or file sharing websites to open the document. When you access these phishing sites using your login credentials, the attacker now has access to your information and can gain additional personal information about you.
+Another common phishing technique is the use of emails that direct you to open a malicious attachment like a PDF file. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you.
## Phishing trends and techniques
### Invoice phishing
-In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company and provides a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
+In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
### Payment/delivery scam
-You are asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past, but you are not aware of any items you have recently purchased from them.
+You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them.
### Tax-themed phishing scams
-A common IRS phishing scams is one in which an urgent email letter is sent indicating that you owe money to the IRS. Often the email threatens legal action if you do not access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
+A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
### Downloads
-Another frequently-used phishing scam is one in which an attacker sends a fraudulent email requesting you to open or download a document, often one requiring you to sign in.
+An attacker sends a fraudulent email requesting you to open or download a document, often requiring you to sign in.
### Phishing emails that deliver other threats
-Phishing emails can be very effective, and so attackers can using them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
+Phishing emails are often very effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
-We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites, which use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
+We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
## Targeted attacks against enterprises
### Spear phishing
-Spear phishing is a targeted phishing attack that involves highly customized lure content. To perform spear phishing, attackers will typically do reconnaissance work, surveying social media and other information sources about their intended target.
+Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target.
-Spear phishing may involve tricking you into logging into fake sites and divulging credentials. Spear phishing may also be designed to lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
+Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
-The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced persistent threat (APT). APTs are generally designed to establish control and steal data over extended periods. As part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
+The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
### Whaling
-Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific companies with the direct goal of gaining access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. When the links or attachment are opened, it can assist the attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT.
+Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization.
### Business email compromise
-Business email compromise (BEC) is a sophisticated scam that targets businesses often working with foreign suppliers and businesses that regularly perform wire transfer payments. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the attacker creates a domain similar to the company they are targeting or spoofs their email to scam users into releasing personal account information for money transfers.
+Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers.
## How to protect against phishing attacks
@@ -78,35 +109,35 @@ Social engineering attacks are designed to take advantage of a user's possible l
### Awareness
-The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.
+The best protection is awareness and education. Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.
-Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information, and instruct them to report the threat to the company’s security operations team immediately.
+Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information. They should also instruct employees to report the threat to the company’s security operations team immediately.
Here are several telltale signs of a phishing scam:
-* The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to.
+* The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to.
-* There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
+* There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
-* **Items in the email address will be changed** so that it is similar enough to a legitimate email address but has added numbers or changed letters.
+* **Items in the email address will be changed** so that it is similar enough to a legitimate email address, but has added numbers or changed letters.
* The message is **unexpected and unsolicited**. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
-* The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails will not ask you to do this.
+* The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails won't ask you to do this.
* The message contains **errors**. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information.
-* The **sender address does not match** the signature on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com.
+* The **sender address doesn't match the signature** on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com.
* There are **multiple recipients** in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.
-* The greeting on the message itself **does not personally address you**. Apart from messages that mistakenly address a different person, those that misuse your name or pull your name directly from your email address tend to be malicious.
+* The greeting on the message itself **doesn't personally address you**. Apart from messages that mistakenly address a different person, greetings that misuse your name or pull your name directly from your email address tend to be malicious.
-* The website looks familiar but there are **inconsistencies or things that are not quite right** such as outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites.
+* The website looks familiar but there are **inconsistencies or things that aren't quite right**. Warning signs include outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites.
-* The page that opens is **not a live page** but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials.
+* The page that opens is **not a live page**, but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials.
If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
@@ -114,7 +145,7 @@ For more information, download and read this Microsoft [e-book on preventing soc
### Software solutions for organizations
-* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
+* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services.
@@ -122,19 +153,7 @@ For more information, download and read this Microsoft [e-book on preventing soc
For more tips and software solutions, see [prevent malware infection](prevent-malware-infection.md).
-## What do I do if I've already been a victim of a phishing scam?
-
-If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card company, etc.
-
-### Reporting spam
-
-Submit phishing scam emails to **Microsoft** by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
-
-For Outlook and Outlook on the web users, use the **Report Message Add-in** for Microsoft Outlook. For information about how to install and use this tool, see [Enable the Report Message add-in](https://support.office.com/article/4250c4bc-6102-420b-9e0a-a95064837676).
-
-Send an email with the phishing scam to **The Anti-Phishing Working Group**: reportphishing@apwg.org. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions and law enforcement agencies are involved.
-
-## Where to find more information about phishing attacks
+## More information about phishing attacks
For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/):
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index b91211e7da..2936cf36c4 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -31,7 +31,7 @@ Most ransomware infections start with:
Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4.
-Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business, at the expense of individuals and businesses.
+Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model where malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is big business at the expense of individuals and businesses.
### Examples
@@ -43,9 +43,9 @@ Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry)
* A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
-Older ransomware like **Reveton** locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".
+Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid.
-Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files.
+Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files.
**Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
index ad80fad7fe..f5ea7e21b2 100644
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -17,15 +17,15 @@ search.appverid: met150
---
# Rootkits
-Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal information and resources.
+Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it's undetected. During this time, it will steal information and resources.
## How rootkits work
Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that device reports about itself.
-For example, if you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device.
+If you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device.
-Many modern malware families use rootkits to try and avoid detection and removal, including:
+Many modern malware families use rootkits to try to avoid detection and removal, including:
* [Alureon](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon)
@@ -53,12 +53,12 @@ For more general tips, see [prevent malware infection](prevent-malware-infection
### What if I think I have a rootkit on my device?
-Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment.
+Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you have a rootkit that your antimalware software isn’t detecting, you may need an extra tool that lets you boot to a known trusted environment.
-[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection.
+[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly because of a possible malware infection.
[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.
### What if I can’t remove a rootkit?
-If the problem persists, we strongly recommend reinstalling the operating system and security software. You should then restore your data from a backup.
+If the problem persists, we strongly recommend reinstalling the operating system and security software. Then restore your data from a backup.
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 7b4028fb4a..7e771ce477 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -26,7 +26,7 @@ You can send us files that you think might be malware or files that have been in
We receive a large number of samples from many sources. Our analysis is prioritized by the number of file detections and the type of submission. You can help us complete a quick analysis by providing detailed information about the product you were using and what you were doing when you found the file.
-If you sign in before you submit a sample, you will be able to track your submissions.
+After you sign in, you will be able to track your submissions.
## Can I send a sample by email?
@@ -34,9 +34,7 @@ No, we only accept submissions through our [sample submission portal](https://ww
## Can I submit a sample without signing in?
-Yes, you many submit a file as an anonymous home customer. You will get a link to a webpage where you can view the status of the submission.
-
-If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you are currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance.
+No. If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you are currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance.
## What is the Software Assurance ID (SAID)?
@@ -52,9 +50,7 @@ We encourage all software vendors and developers to read about [how Microsoft id
## How do I track or view past sample submissions?
-You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). Your submission will only appear on this page if you were signed in when you submitted it.
-
-If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if you want to come back and check on the status of your submission.
+You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).
## What does the submission status mean?
@@ -66,7 +62,7 @@ Each submission is shown to be in one of the following status types:
* Closed—a final determination has been given by an analyst
-If you are signed in, you can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).
+You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).
## How does Microsoft prioritize submissions
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 8544b43d61..5ecbd9a101 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -63,6 +63,6 @@ It is also important to keep the following in mind:
Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams:
-www.microsoft.com/reportascam
+www.microsoft.com/reportascam
You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 771169d40b..59f32f84e6 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -17,6 +17,9 @@ manager: dansimp
Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
+
+> [!NOTE]
+> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
## The Solution
A script can help you with an alternative to MBSA’s patch-compliance checking:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
index e9fd6a400e..1bf808c9ae 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
@@ -3,7 +3,6 @@ title: What to do with false positives/negatives in Microsoft Defender Antivirus
description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do.
keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -21,6 +20,9 @@ ms.topic: article
# What to do with false positives/negatives in Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
index 691027c34e..c313f7f7cf 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -3,7 +3,6 @@ title: Collect diagnostic data for Update Compliance and Windows Defender Micros
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index 876f707fc7..ca821701f2 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -3,7 +3,6 @@ title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Collect Microsoft Defender AV diagnostic data
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
index 0286462e81..3038c3095f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@@ -3,21 +3,23 @@ title: Use the command line to manage Microsoft Defender Antivirus
description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer: ksarens
manager: dansimp
+ms.date: 08/17/2020
---
# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -31,11 +33,12 @@ You can perform various Microsoft Defender Antivirus functions with the dedicate
The utility has the following commands:
-```DOS
+```console
MpCmdRun.exe [command] [-options]
```
Here's an example:
-```
+
+```console
MpCmdRun.exe -Scan -ScanType 2
```
@@ -55,6 +58,22 @@ MpCmdRun.exe -Scan -ScanType 2
| `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence |
| `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence |
| `-CheckExclusion -path ` | Checks whether a path is excluded |
+| `-ValidateMapsConnection` | Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
+
+
+## Common errors in running commands via mpcmdrun.exe
+
+|Error message | Possible reason
+|:----|:----|
+| `ValidateMapsConnection failed (800106BA) or 0x800106BA` | The Microsoft Defender Antivirus service is disabled. Enable the service and try again. **Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
+| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
+| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0` (where `2008.4-0` might differ since platform updates are monthly except for December)|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80508015` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
+| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
index 7be3761332..58cd36777d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Common mistakes to avoid when defining exclusions
description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -17,6 +16,9 @@ manager: dansimp
---
# Common mistakes to avoid when defining exclusions
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
This topic describes some common mistake that you should avoid when defining exclusions.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
index 9ca273c668..093c6632fb 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Manage Windows Defender in your business
description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV
keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Manage Microsoft Defender Antivirus in your business
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
index 3464a06430..93b12016f3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -19,17 +18,18 @@ manager: dansimp
# Configure Microsoft Defender Antivirus scanning options
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-**Use Microsoft Intune to configure scanning options**
+## Use Microsoft Intune to configure scanning options
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-
-
-## Use Microsoft Endpoint Configuration Manager to configure scanning options:
+## Use Microsoft Endpoint Configuration Manager to configure scanning options
See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
@@ -70,6 +70,8 @@ See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell
For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
+
+
## Email scanning limitations
Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
index 5fb8feab26..a71f13399e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@@ -1,26 +1,28 @@
---
title: Enable Block at First Sight to detect malware in seconds
-description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.
+description: Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly.
keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: high
author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
ms.custom: nextgen
+ms.date: 08/26/2020
---
-# Enable block at first sight
+# Turn on block at first sight
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
@@ -31,12 +33,12 @@ You can [specify how long the file should be prevented from running](configure-c
## How it works
-When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
+When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
+In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
@@ -44,11 +46,11 @@ If the cloud backend is unable to make a determination, Microsoft Defender Antiv
In many cases, this process can reduce the response time for new malware from hours to seconds.
-## Confirm and validate that block at first sight is enabled
+## Confirm and validate that block at first sight is turned on
Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments.
-### Confirm block at first sight is enabled with Intune
+### Confirm block at first sight is turned on with Intune
1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**.
@@ -71,7 +73,7 @@ For more information about configuring Microsoft Defender Antivirus device restr
For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
-### Enable block at first sight with Microsoft Endpoint Configuration Manager
+### Turn on block at first sight with Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
@@ -88,13 +90,12 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
-6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
+6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
7. Click **OK** to create the policy.
-
-### Confirm block at first sight is enabled with Group Policy
+### Confirm block at first sight is turned on with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -102,9 +103,9 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
- - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
+ 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
- - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
+ 2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
> [!WARNING]
> Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
@@ -115,24 +116,32 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
-If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
+5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**:
-### Confirm block at first sight is enabled with Registry editor
+ 1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**.
+
+ 2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**.
+
+If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered.
+
+### Confirm block at first sight is turned on with Registry editor
1. Start Registry Editor.
-2. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet**, and make sure that
+2. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet`, and make sure that
1. **SpynetReporting** key is set to **1**
2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples)
-3. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection**, and make sure that
+3. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection`, and make sure that
1. **DisableIOAVProtection** key is set to **0**
2. **DisableRealtimeMonitoring** key is set to **0**
-
+
+4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2**
+
### Confirm Block at First Sight is enabled on individual clients
You can confirm that block at first sight is enabled on individual clients using Windows security settings.
@@ -154,14 +163,14 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote
You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
-## Disable block at first sight
+## Turn off block at first sight
> [!WARNING]
-> Disabling block at first sight will lower the protection state of the endpoint and your network.
+> Turning off block at first sight will lower the protection state of the endpoint and your network.
You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
-### Disable block at first sight with Group Policy
+### Turn off block at first sight with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
@@ -172,9 +181,10 @@ You may choose to disable block at first sight if you want to retain the prerequ
4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
> [!NOTE]
- > Disabling block at first sight will not disable or alter the prerequisite group policies.
+ > Disabling block at first sight does not disable or alter the prerequisite group policies.
-## Related topics
+## See also
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+
- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index 7840be58fc..4be673460a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure the Microsoft Defender AV cloud block timeout period
description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -15,14 +14,16 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
-ms.custom: nextgen
---
# Configure the cloud block timeout period
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
index b7af3e0452..db09d1d9ef 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure how users can interact with Microsoft Defender AV
description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings.
keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,13 +11,15 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
# Configure end-user interaction with Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
index 0e81659418..1351a2448b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Set up exclusions for Microsoft Defender AV scans
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell.
keywords:
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -19,6 +17,9 @@ manager: dansimp
# Configure and validate exclusions for Microsoft Defender Antivirus scans
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -47,4 +48,4 @@ The following is a list of recommendations that you should keep in mind when def
## Related articles
- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
-- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
\ No newline at end of file
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
index bbbbe12908..cad89f1643 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Configure and validate exclusions based on extension, name, or location
description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -18,6 +16,9 @@ manager: dansimp
# Configure and validate exclusions based on file extension and folder location
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
index 16fc08a832..5a4dcf2b76 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure local overrides for Microsoft Defender AV settings
description: Enable or disable users from locally changing settings in Microsoft Defender AV.
keywords: local override, local policy, group policy, gpo, lockdown,merge, lists
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
index 3f6f29e47b..0e9715c7f7 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus features
description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Configure Microsoft Defender Antivirus features
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
index 3f3d1f0b07..f19baf44aa 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure and validate Microsoft Defender Antivirus network connections
description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service.
keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,9 +18,12 @@ manager: dansimp
# Configure and validate Microsoft Defender Antivirus network connections
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
@@ -58,7 +60,7 @@ The table below lists the services and their associated URLs. Make sure that the
| Microsoft Update Service (MU) Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com` `*.delivery.mp.microsoft.com` `*.windowsupdate.com`
For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` `*.download.windowsupdate.com` `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` `ussus1westprod.blob.core.windows.net` `usseu1northprod.blob.core.windows.net` `usseu1westprod.blob.core.windows.net` `ussuk1southprod.blob.core.windows.net` `ussuk1westprod.blob.core.windows.net` `ussas1eastprod.blob.core.windows.net` `ussas1southeastprod.blob.core.windows.net` `ussau1eastprod.blob.core.windows.net` `ussau1southeastprod.blob.core.windows.net` |
-| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/` `https://www.microsoft.com/pkiops/certs` `https://crl.microsoft.com/pki/crl/products` `https://www.microsoft.com/pki/certs` |
+| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/` `http://www.microsoft.com/pkiops/certs` `http://crl.microsoft.com/pki/crl/products` `http://www.microsoft.com/pki/certs` |
| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com` `settings-win.data.microsoft.com`|
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
index 57a0ea6f0e..ce2af4d4b6 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@@ -1,9 +1,8 @@
---
title: Configure Microsoft Defender Antivirus notifications
-description: Configure and customize Microsoft Defender Antivirus notifications.
+description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints.
keywords: notifications, defender, antivirus, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Configure the notifications that appear on endpoints
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
index 9fb92406dc..ae76a5bd9d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure exclusions for files opened by specific processes
description: You can exclude files from scans if they have been opened by a specific process.
keywords: Microsoft Defender Antivirus, process, exclusion, files, scans
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,6 +17,9 @@ manager: dansimp
# Configure exclusions for files opened by processes
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
index 2f09169a15..3d94d7776c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Enable and configure Microsoft Defender Antivirus protection features
description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Configure behavioral, heuristic, and real-time protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
index 727463b3d6..d16426a613 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Enable and configure Microsoft Defender Antivirus protection capabilities
description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ ms.custom: nextgen
# Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
index 65400ddb8c..ef93c95c0e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Remediate and resolve infections detected by Microsoft Defender Antivirus
description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
keywords: remediation, fix, remove, threats, quarantine, scan, restore
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Configure remediation for Microsoft Defender Antivirus scans
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
index f0a52f7827..fc90bc6dbc 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
@@ -5,7 +5,6 @@ manager: dansimp
description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,6 +17,9 @@ ms.custom: nextgen
# Configure Microsoft Defender Antivirus exclusions on Windows Server
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
index 0a108f47da..f482a524ba 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Run and customize scheduled and on-demand scans
description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index 0a108f47da..f482a524ba 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Run and customize scheduled and on-demand scans
description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
index b9406da6f4..a6d053b389 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Deploy, manage, and report on Microsoft Defender Antivirus
description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
keywords: deploy, manage, update, protection, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Deploy, manage, and report on Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
index 6e0bb71ecc..e66ebbd817 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Deploy and enable Microsoft Defender Antivirus
description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Deploy and enable Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
index a906762b9a..ebce0895fc 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment gu
description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -19,6 +17,9 @@ manager: dansimp
# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -46,69 +47,11 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De
> [!IMPORTANT]
> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows. There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
-### Set up a dedicated VDI file share
+## Set up a dedicated VDI file share
-In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), Group Policy, or PowerShell.
+In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine — thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell.
-> [!TIP]
-> If you don't already have Intune, [try it for free](https://docs.microsoft.com/intune/fundamentals/free-trial-sign-up)!
-
-Open the Intune Management Portal either by searching for Intune on [https://portal.azure.com](https://portal.azure.com) or going to [https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com) and logging in.
-
-#### To create a group with only the devices or users you specify
-
-1. Go to **Groups** > **New group**.
-
-2. Specify the following values:
- - Group type: **Security**
- - Group name: **VDI test VMs**
- - Group description: *Optional*
- - Membership type: **Assigned**
-
-3. Add the devices or users you want to be a part of this test and then click **Create** to save the group.
-
-It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
-
-#### To create a group that will include any machine in your tenant that is a VM, even when they are newly created
-
-1. Go to **Groups** > **New group**.
-
-2. Specify the following values:
- - Group type: **Security**
- - Group name: **VDI test VMs**
- - Group description: *Optional*
- - Membership type: **Dynamic Device**
-
-3. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**.
-
-4. Click **Add query** and then **Create** to save the group.
-
-5. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one.
-
-#### Create a new device configuration profile
-
-In this example, we create a new device configuration profile by clicking **Create profile**.
-
-1. Name it, choose **Windows 10 and later** as the Platform and – most importantly – select **Custom** as the profile type.
-
-2. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
- - Name: **VDI shared sig location**
- - Description: *Optional*
- - OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
- - Data type: **String**
- - `\\\wdav-update\` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
-
-3. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade.
-
-4. Click **Create** to save the new profile. The profile details page now appears.
-
-5. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**.
-
-6. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
-
-The profile will now be deployed to the impacted devices. This may take some time.
-
-#### Use Group Policy to enable the shared security intelligence feature:
+### Use Group Policy to enable the shared security intelligence feature:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**.
@@ -120,23 +63,23 @@ The profile will now be deployed to the impacted devices. This may take some tim
5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
-6. Enter `\\\wdav-update` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be).
+6. Enter `\\\wdav-update` (for what this will be, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
7. Click **OK**.
8. Deploy the GPO to the VMs you want to test.
-#### Use PowerShell to enable the shared security intelligence feature
+### Use PowerShell to enable the shared security intelligence feature
Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
-
+
```PowerShell
Set-MpPreference -SharedSignaturesPath \\\wdav-update
```
See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \ will be.
-### Download and unpackage the latest updates
+## Download and unpackage the latest updates
Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).
@@ -151,30 +94,29 @@ New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null
Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage
-cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
+cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
```
You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update.
-We suggest starting with once a day – but you should experiment with increasing or decreasing the frequency to understand the impact.
+We suggest starting with once a day — but you should experiment with increasing or decreasing the frequency to understand the impact.
Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit.
-#### Set a scheduled task to run the powershell script
+### Set a scheduled task to run the PowerShell script
1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
-3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**.
+3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**.
-4. You can choose to configure additional settings if you wish.
+4. You can choose to configure additional settings if you wish.
5. Click **OK** to save the scheduled task.
-
You can initiate the update manually by right-clicking on the task and clicking **Run**.
-#### Download and unpackage manually
+### Download and unpackage manually
If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior:
@@ -182,83 +124,85 @@ If you would prefer to do everything manually, this what you would need to do to
2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`.
- Note: In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
+ > [!NOTE]
+ > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions) into the GUID folder. The file should be named `mpam-fe.exe`.
4. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example `mpam-fe.exe /X`.
- Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
+ > [!NOTE]
+ > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
-### Randomize scheduled scans
+## Randomize scheduled scans
Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
-The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan.
+The start time of the scan itself is still based on the scheduled scan policy — ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan.
See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans.
-### Use quick scans
+## Use quick scans
You can specify the type of scan that should be performed during a scheduled scan.
Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
1. Expand the tree to **Windows components > Windows Defender > Scan**.
-2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**.
+2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**.
3. Click **OK**.
-### Prevent notifications
+## Prevent notifications
Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface.
-1. Expand the tree to **Windows components > Windows Defender > Client Interface**.
+1. Expand the tree to **Windows components > Windows Defender > Client Interface**.
-2. Double-click **Suppress all notifications** and set the option to **Enabled**.
+2. Double-click **Suppress all notifications** and set the option to **Enabled**.
-3. Click **OK**.
+3. Click **OK**.
This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
-### Disable scans after an update
+## Disable scans after an update
This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
> [!IMPORTANT]
> Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
-1. Expand the tree to **Windows components > Windows Defender > Signature Updates**.
+1. Expand the tree to **Windows components > Windows Defender > Signature Updates**.
-2. Double-click **Turn on scan after signature update** and set the option to **Disabled**.
+2. Double-click **Turn on scan after signature update** and set the option to **Disabled**.
-3. Click **OK**.
+3. Click **OK**.
This prevents a scan from running immediately after an update.
-### Scan VMs that have been offline
+## Scan VMs that have been offline
-1. Expand the tree to **Windows components > Windows Defender > Scan**.
+1. Expand the tree to **Windows components > Windows Defender > Scan**.
-2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
+2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
-3. Click **OK**.
+3. Click **OK**.
This forces a scan if the VM has missed two or more consecutive scheduled scans.
+## Enable headless UI mode
-### Enable headless UI mode
+1. Double-click **Enable headless UI mode** and set the option to **Enabled**.
-1. Double-click **Enable headless UI mode** and set the option to **Enabled**.
-
-2. Click **OK**.
+2. Click **OK**.
This hides the entire Microsoft Defender AV user interface from users.
-### Exclusions
+## Exclusions
-On Windows Server 2016, Microsoft Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus).
+Exclusions can be added, removed, or customized to suit your needs.
+For more details, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md).
## Additional resources
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
index 40994831c4..0c17ea1575 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Block potentially unwanted applications with Microsoft Defender Antivirus
description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -20,13 +18,16 @@ manager: dansimp
# Detect and block potentially unwanted applications
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
> [!NOTE]
-> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might not be be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.
+> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.
Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
index 84f310871d..e62fd3c943 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Enable cloud-delivered protection in Microsoft Defender Antivirus
description: Enable cloud-delivered protection to benefit from fast and advanced protection features.
keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -18,14 +16,17 @@ ms.custom: nextgen
# Enable cloud-delivered protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
> [!NOTE]
> The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
index 1c2dec92b5..d76667b2a1 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Evaluate Microsoft Defender Antivirus
description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10.
keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -19,6 +17,9 @@ manager: dansimp
# Evaluate Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -31,7 +32,7 @@ Use this guide to determine how well Microsoft Defender Antivirus protects you f
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
-It explains the important next generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
+It explains the important next-generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png
new file mode 100644
index 0000000000..0b0516183a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
index 545f77a114..9b9a68afc6 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Enable the limited periodic Microsoft Defender Antivirus scanning feature
description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers
keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -21,6 +19,9 @@ manager: dansimp
# Use limited periodic scanning in Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
index c29455e452..2a22aeb079 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Apply Microsoft Defender Antivirus updates after certain events
description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,13 +11,16 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
+ms.date: 09/17/2018
+ms.reviewer: pahuijbr
manager: dansimp
---
# Manage event-based forced updates
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -83,7 +85,7 @@ You can use Group Policy to force Microsoft Defender Antivirus to check and down
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
@@ -141,16 +143,16 @@ If you have enabled cloud-delivered protection, Microsoft Defender AV will send
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
> [!NOTE]
-> "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
+> **Allow notifications to disable definitions based reports** enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
-## Related articles
+## See also
- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
index 8956c31df7..ab04442450 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Apply Microsoft Defender AV protection updates to out of date endpoints
description: Define when and how updates should be applied for endpoints that have not updated in a while.
keywords: updates, protection, out-of-date, outdated, old, catch-up
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
index 5ba75a3387..9565e809a3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Schedule Microsoft Defender Antivirus protection updates
description: Schedule the day, time, and interval for when protection updates should be downloaded
keywords: updates, security baselines, schedule updates
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
search.appverid: met150
ms.mktglfcycl: manage
@@ -20,6 +19,9 @@ manager: dansimp
# Manage the schedule for when protection updates should be downloaded and applied
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
index 58e3fd0a6f..2ac2800429 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Manage how and where Microsoft Defender AV receives updates
description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates.
keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,6 +17,9 @@ ms.custom: nextgen
# Manage the sources for Microsoft Defender Antivirus protection updates
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index f730a9670c..514ee0334b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Manage Microsoft Defender Antivirus updates and apply baselines
description: Manage how Microsoft Defender Antivirus receives protection and product updates.
keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -14,10 +13,14 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.date: 09/10/2020
---
# Manage Microsoft Defender Antivirus updates and apply baselines
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -31,6 +34,10 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+> [!NOTE]
+> You can use the below URL to find out what are the current versions:
+> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info)
+
## Security intelligence updates
Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
@@ -58,6 +65,45 @@ All our updates contain:
* serviceability improvements
* integration improvements (Cloud, MTP)
+
+ August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)
+
+ Security intelligence update version: **1.323.9.0**
+ Released: **August 27, 2020**
+ Platform: **4.18.2008.9**
+ Engine: **1.1.17400.5**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+* Add more telemetry events
+* Improved scan event telemetry
+* Improved behavior monitoring for memory scans
+* Improved macro streams scanning
+* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
+
+### Known Issues
+No known issues
+
+
+
+
+ July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)
+
+ Security intelligence update version: **1.321.30.0**
+ Released: **July 28, 2020**
+ Platform: **4.18.2007.8**
+ Engine: **1.1.17300.4**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+* Improved telemetry for BITS
+* Improved Authenticode code signing certificate validation
+
+### Known Issues
+No known issues
+
+
+
June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)
@@ -87,7 +133,7 @@ No known issues
Released: **May 26, 2020**
Platform: **4.18.2005.4**
Engine: **1.1.17100.2**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade Support (Only)**
### What's new
* Improved logging for scan events
@@ -109,7 +155,7 @@ No known issues
Released: **April 30, 2020**
Platform: **4.18.2004.6**
Engine: **1.1.17000.2**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade Support (Only)**
### What's new
* WDfilter improvements
@@ -183,7 +229,7 @@ Support phase: **Technical upgrade Support (Only)**
* Support platform updates when TMP is redirected to network path
* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
-* Fix 4.18.1911.10 hang
+* Fix 4.18.1911.3 hang
### Known Issues
[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
@@ -191,14 +237,17 @@ Support phase: **Technical upgrade Support (Only)**
> [!IMPORTANT]
> This updates is needed by RS1 devices running lower version of the platform to support SHA2. This update has reboot flag for systems that are experiencing the hang issue. the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
+> [!IMPORTANT]
+> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update)
+
- November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7)
+ November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)
Security intelligence update version: **1.307.13.0**
Released: **December 7, 2019**
-Platform: **4.18.1911.2**
+Platform: **4.18.1911.3**
Engine: **1.1.17000.7**
Support phase: **No support**
@@ -210,7 +259,7 @@ Support phase: **No support**
* add MRT logs to support files
### Known Issues
-No known issues
+When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
index fb9cbcf454..06525a035e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Define how mobile devices are updated by Microsoft Defender AV
description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates.
keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Manage updates for mobile devices and virtual machines (VMs)
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 8f16436956..e598e1bbce 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -13,10 +13,14 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.date: 08/26/2020
---
# Microsoft Defender Antivirus compatibility
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -26,7 +30,7 @@ manager: dansimp
Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
-- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
+- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in preview) enabled, then whenever a malicious artifact is detected, Microsoft Defender ATP takes action to block and remediate the artifact.
## Antivirus and Microsoft Defender ATP
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
index 4be2a05301..e9bcff7d72 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
@@ -3,7 +3,6 @@ title: Next-generation protection in Windows 10, Windows Server 2016, and Window
description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,9 +18,12 @@ ms.custom: nextgen
# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Microsoft Defender Antivirus: Your next-generation protection
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index 2108fffbab..76701c22f2 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -1,13 +1,12 @@
---
title: Microsoft Defender Antivirus on Windows Server 2016 and 2019
-description: Enable and configure Microsoft Defender AV on Windows Server 2016 and 2019
+description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019.
keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -18,9 +17,13 @@ manager: dansimp
# Microsoft Defender Antivirus on Windows Server 2016 and 2019
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Windows Server 2016
+- Windows Server 2019
Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
index 0a396c5667..d2e1ac4fe4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@@ -3,7 +3,6 @@ title: Microsoft Defender Offline in Windows 10
description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
keywords: scan, defender, offline
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,6 +17,9 @@ manager: dansimp
# Run and review the results of a Microsoft Defender Offline scan
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index 1bb6d1137c..a6e9c4aa01 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -3,7 +3,6 @@ title: Microsoft Defender Antivirus in the Windows Security app
description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks.
keywords: wdav, antivirus, firewall, security, windows
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,6 +17,9 @@ manager: dansimp
# Microsoft Defender Antivirus in the Windows Security app
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
index 58f370b7dd..30030fb3b1 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: "Better together - Microsoft Defender Antivirus and Office 365 (including
description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more."
keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -21,6 +20,9 @@ manager: dansimp
# Better together: Microsoft Defender Antivirus and Office 365
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Microsoft Defender Antivirus
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 52690f977b..6b6a753cf0 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -14,10 +14,14 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
+ms.date: 08/31/2020
---
# Protect security settings with tamper protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Windows 10
@@ -80,24 +84,20 @@ If you are a home user, or you are not subject to settings managed by a security
## Turn tamper protection on (or off) for your organization using Intune
-If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)).
-
-> [!NOTE]
-> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.
+If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal.
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
-2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account.
+2. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
-3. Select **Device configuration** > **Profiles**.
+3. Select **Devices** > **Configuration Profiles**.
4. Create a profile as follows:
@@ -109,7 +109,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
- Tamper Protection: **Enabled**
- 
+ 
5. Assign the profile to one or more groups.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index 18c0fdfc15..c3358561d8 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Hide the Microsoft Defender Antivirus interface
description: You can hide virus and threat protection tile in the Windows Security app.
keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
index aa0b387ceb..2705f9bf69 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Monitor and report on Microsoft Defender Antivirus protection
description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI.
keywords: siem, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Report on Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
index 325b0800ee..19b05b9f87 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Restore quarantined files in Microsoft Defender AV
description: You can restore files and folders that were quarantined by Microsoft Defender AV.
keywords:
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Restore quarantined files in Microsoft Defender AV
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index 1e4a2b7142..c83b6725b3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Review the results of Microsoft Defender AV scans
description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Review Microsoft Defender Antivirus scan results
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
index a0fc81be46..84a2edacf5 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Run and customize on-demand scans in Microsoft Defender AV
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
keywords: scan, on-demand, dos, intune, instant scan
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Configure and run on-demand Microsoft Defender Antivirus scans
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -30,6 +32,9 @@ You can run an on-demand scan on individual endpoints. These scans will start im
Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+> [!IMPORTANT]
+> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
+
Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index ce7ad86555..2a04fdb15b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Schedule regular quick and full scans with Microsoft Defender AV
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Configure scheduled quick or full Microsoft Defender Antivirus scans
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
index c6a20d3a13..da8cab7cff 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -7,11 +7,10 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/03/2018
+ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@@ -19,9 +18,12 @@ ms.custom: nextgen
# Specify the cloud-delivered protection level
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
@@ -62,7 +64,8 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- - **Default Microsoft Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
+ - **Moderate blocking level** provides moderate only for high confidence detections
- **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
- **Zero tolerance blocking level** blocks all unknown executables.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
index 75665404c2..bebdd997f5 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Microsoft Defender AV event IDs and error codes
description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors
keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -19,6 +17,9 @@ manager: dansimp
# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -50,7 +51,7 @@ The table in this section lists the main Microsoft Defender Antivirus event IDs
## To view a Microsoft Defender Antivirus event
1. Open **Event Viewer**.
-2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Microsoft Defender Antivirus**.
+2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
index 43310f4b21..936180ce74 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
@@ -3,7 +3,6 @@ title: Troubleshoot problems with reporting tools for Microsoft Defender AV
description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -18,6 +17,9 @@ manager: dansimp
# Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 266e82be31..761dd08cfa 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -1,13 +1,11 @@
---
title: Configure Microsoft Defender Antivirus with Group Policy
-description: Configure Microsoft Defender Antivirus settings with Group Policy
+description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender ATP.
keywords: group policy, GPO, configuration, settings
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -19,6 +17,9 @@ manager: dansimp
# Use Group Policy settings to configure and manage Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
index 37d31d6dc7..b32ee0bc06 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Configure Microsoft Defender Antivirus with Configuration Manager and Int
description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
index 6c5cb6074b..3dc5e33650 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@@ -3,7 +3,6 @@ title: Use PowerShell cmdlets to configure and run Microsoft Defender AV
description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus.
keywords: scan, command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
index 5a54bd4546..a517c3bd60 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@@ -1,9 +1,8 @@
---
title: Configure Microsoft Defender Antivirus with WMI
-description: Use WMI scripts to configure Microsoft Defender AV.
+description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender ATP.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
index e998e86722..b24a051f44 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: Use next-generation technologies in Microsoft Defender Antivirus through
description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@@ -18,13 +16,16 @@ ms.custom: nextgen
# Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Microsoft Defender Antivirus
Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
index 51cc0fbe72..dc28f1eb2f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
@@ -3,11 +3,9 @@ title: "Why you should use Microsoft Defender Antivirus together with Microsoft
description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings."
keywords: windows defender, antivirus, third party av
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.topic: article
@@ -20,6 +18,9 @@ manager: dansimp
# Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md
index 35f40da2a5..52b3bb034e 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md
@@ -4,4 +4,5 @@
## [Install WDAG](install-md-app-guard.md)
## [Configure WDAG policies](configure-md-app-guard.md)
## [Test scenarios](test-scenarios-md-app-guard.md)
+## [Microsoft Defender Application Guard Extension](md-app-guard-browser-extension.md)
## [FAQ](faq-md-app-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index c719d57d20..372d0b750f 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 06/02/2020
+ms.date: 09/14/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -43,16 +43,20 @@ Depending on your organization's settings, employees can copy and paste images (
### Why don't employees see their Favorites in the Application Guard Edge session?
-To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
+To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device.
-### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
+### Are extensions supported in the Application Guard?
-Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
+Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container).
### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
+If Application Guard is used with network proxies, they need to be specified by fully qualified domain name (FQDN) in the system proxy settings (likewise in a PAC script if that is the type of proxy configuration used). Additionally these proxies need to be marked as *neutral* in the **Application trust** list. The FQDNs for the PAC file and the proxy servers the PAC file redirects to must be added as neutral resources in the network isolation policies that are used by Application Guard. You can verify this by going to `edge://application-guard-internals/#utilities` and entering the FQDN for the pac/proxy in the **check url trust** field. Verify that it says *Neutral.*
+
+Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the enterprise IP ranges in the network isolation policies that are used by Application Guard. Additionally, go to `edge://application-guard-internals/#utilities` to view the Application Guard proxy configuration. This step can be done in both the host and within Application Guard to verify that each side is using the proxy setup you expect.
+
### Which Input Method Editors (IME) in 19H1 are not supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
@@ -83,29 +87,29 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
-Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383B limit.
+Yes, both the enterprise resource domains hosted in the cloud and the domains categorized as both work and personal have a 16383B limit.
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
-### Why do the Network Isolation policies in Group Policy and CSP look different?
+### Why do the network isolation policies in Group Policy and CSP look different?
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
+There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).
### Why did Application Guard stop working after I turned off hyperthreading?
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements.
### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
@@ -119,8 +123,8 @@ For guidance on how to create a firewall rule by using group policy, see:
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
First rule (DHCP Server):
-1. Program path: %SystemRoot%\System32\svchost.exe
-2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))
+1. Program path: `%SystemRoot%\System32\svchost.exe`
+2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess))
3. Protocol UDP
4. Port 67
@@ -139,7 +143,7 @@ In the Microsoft Defender Firewall user interface go through the following steps
### Why can I not launch Application Guard when Exploit Guard is enabled?
-There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
+There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**.
### How can I have ICS in enabled state yet still use Application Guard?
@@ -148,14 +152,31 @@ This is a two step process.
Step 1:
-Enable Internet Connection sharing by changing the Group Policy setting “Prohibit use of Internet Connection Sharing on your DNS domain network” which is part of the MS Security baseline from Enabled to Disabled.
+Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**.
Step 2:
-1. Disable IpNat.sys from ICS load
-System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
-2. Configure ICS (SharedAccess) to enabled
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
-3. Disabling IPNAT (Optional)
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
-4. Reboot.
+1. Disable IpNat.sys from ICS load:
+`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
+2. Configure ICS (SharedAccess) to enabled:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
+3. Disable IPNAT (Optional):
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
+4. Restart the device.
+
+### Why doesn't Application Guard work, even though it's enabled through Group Policy?
+
+Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard).
+To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing.
+
+For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite.
+
+For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP.
+
+### I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this?
+
+WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps:
+
+1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
+
+2. Reboot the device.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png
new file mode 100644
index 0000000000..4ad77f8a06
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png
new file mode 100644
index 0000000000..25e3ef533b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png
new file mode 100644
index 0000000000..779f647b33
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
index 1afbd303b0..7ee172b509 100644
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png and b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
new file mode 100644
index 0000000000..d01a2ef115
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -0,0 +1,98 @@
+---
+title: Microsoft Defender Application Guard Extension
+description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: martyav
+ms.author: v-maave
+ms.date: 06/12/2020
+ms.reviewer:
+manager: dansimp
+ms.custom: asr
+---
+
+# Microsoft Defender Application Guard Extension
+
+**Applies to:**
+
+- Windows 10
+
+[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
+
+[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
+
+> [!TIP]
+> Application Guard, by default, offers [native support](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
+
+Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected.
+
+## Prerequisites
+
+Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later:
+
+- Windows 10 Professional
+- Windows 10 Enterprise
+- Windows 10 Education
+
+Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already.
+
+## Installing the extension
+
+Application Guard can be run under [managed mode](install-md-app-guard.md#enterprise-managed-mode) or [standalone mode](install-md-app-guard.md#standalone-mode). The main difference between the two modes is whether policies have been set to define the organization's boundaries.
+
+Enterprise administrators running Application Guard under managed mode should first define Application Guard's [network isolation settings](configure-md-app-guard.md#network-isolation-settings), so a set of enterprise sites is already in place.
+
+From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode.
+
+1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
+1. Install the [Windows Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
+1. Restart the device.
+
+### Recommended browser group policies
+
+Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings.
+
+#### Chrome policies
+
+These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*).
+
+Policy name | Values | Recommended setting | Reason
+-|-|-|-
+[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled `1` = Disabled `2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default.
+[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default.
+[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled `true` or `1` = Enabled
**Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension.
+[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension.
+
+#### Firefox policies
+
+These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*).
+
+Policy name | Values | Recommended setting | Reason
+-|-|-|-
+[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled `true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard
+[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed `true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security
+[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it.
+
+## Troubleshooting guide
+
+
+
+Error message | Cause | Actions
+-|-|-
+Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
+Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
+Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
+Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser
+Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser
+Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Edge is working 3. Retry the operation
+
+## Related articles
+
+- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
+- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 9a278e3b9b..04d381db5b 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 03/28/2019
+ms.date: 09/07/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -18,7 +18,8 @@ ms.custom: asr
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
+
+Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
@@ -42,10 +43,11 @@ Application Guard has been created to target several types of systems:
## Related articles
-|Article |Description |
-|------|------------|
+|Article | Description |
+|--------|-------------|
|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
+| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a trouble-shooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index e2a6d3e0ec..1b3e19b06b 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -10,69 +10,68 @@ author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
+ms.date: 09/14/2020
ms.custom: asr
---
# Application Guard testing scenarios
+**Applies to:**
-**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
-
## Application Guard in standalone mode
You can see how an employee would use standalone mode with Application Guard.
### To test Application Guard in Standalone mode
-1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
-2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
+2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
-
+
3. Wait for Application Guard to set up the isolated environment.
>[!NOTE]
- >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
-
+ >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
+
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
-## Application Guard in Enterprise-managed mode
+## Application Guard in Enterprise-managed mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
### Install, set up, and turn on Application Guard
-Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
+Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard#install-application-guard).
-2. Restart the device and then start Microsoft Edge.
+2. Restart the device, and then start Microsoft Edge.
3. Set up the Network Isolation settings in Group Policy:
- a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**.
-
+ a. Click on the **Windows** icon, type `Group Policy`, and then click **Edit Group Policy**.
+
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
- c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box.
+ c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
- e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box.
+ e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
-4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Enterprise Mode** setting.
+4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
5. Click **Enabled**, choose Option **1**, and click **OK**.
@@ -81,14 +80,14 @@ Before you can use Application Guard in enterprise mode, you must install Window
>[!NOTE]
>Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
-6. Start Microsoft Edge and type www.microsoft.com.
-
+6. Start Microsoft Edge and type `https://www.microsoft.com`.
+
After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.
-
+
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
@@ -108,6 +107,7 @@ Application Guard provides the following default behavior for your employees:
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**Applies to:**
+
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
@@ -116,24 +116,24 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
2. Click **Enabled** and click **OK**.
-
+
3. Choose how the clipboard works:
-
+
- Copy and paste from the isolated session to the host PC
-
+
- Copy and paste from the host PC to the isolated session
-
+
- Copy and paste both directions
4. Choose what can be copied:
-
- - **1.** Only text can be copied between the host PC and the isolated container.
- - **2.** Only images can be copied between the host PC and the isolated container.
+ - Only text can be copied between the host PC and the isolated container.
- - **3.** Both text and images can be copied between the host PC and the isolated container.
+ - Only images can be copied between the host PC and the isolated container.
+
+ - Both text and images can be copied between the host PC and the isolated container.
5. Click **OK**.
@@ -156,21 +156,26 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
-
+
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
- The website opens in the isolated session.
+ The website opens in the isolated session.
4. Add the site to your **Favorites** list and then close the isolated session.
-5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your **Favorites** list.
- >[!NOTE]
- >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container, follow these steps:** 1. Open a command-line program and navigate to Windows/System32. 2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data. 3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
-
+ > [!NOTE]
+ > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
+ >
+ > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
+ >
+ > **To reset the container, follow these steps:** 1. Open a command-line program and navigate to Windows/System32. 2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data. 3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
+
**Applies to:**
+
- Windows 10 Enterprise edition, version 1803
- Windows 10 Professional edition, version 1803
@@ -181,10 +186,10 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
-
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Download a file from Microsoft Defender Application Guard.
+4. Download a file from Microsoft Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
@@ -195,12 +200,13 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
-
-3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
-4. Assess the visual experience and battery performance.
+3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
+
+4. Assess the visual experience and battery performance.
**Applies to:**
+
- Windows 10 Enterprise edition, version 1809
- Windows 10 Professional edition, version 1809
@@ -210,11 +216,11 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled**, set **Options** to 2, and click **OK**.
- 
-
+ 
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Open a file in Edge, such an Office 365 file.
+4. Open a file in Edge, such an Office 365 file.
5. Check to see that an antivirus scan completed before the file was opened.
@@ -224,11 +230,11 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
- 
-
+ 
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
-4. Open an application with video or audio capability in Edge.
+4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
@@ -238,7 +244,23 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
- 
-
+ 
+
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+## Application Guard Extension for third-party web browsers
+
+The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer.
+
+Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
+
+1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
+
+2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
+ 
+
+3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
+ 
+
+4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
+ 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
index 647939803c..acb5350c34 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
@@ -19,6 +19,9 @@ ms.topic: article
# Access the Microsoft Defender Security Center MSSP customer portal
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -53,4 +56,4 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I
## Related topics
- [Grant MSSP access to the portal](grant-mssp-access.md)
- [Configure alert notifications](configure-mssp-notifications.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
index 07fcff8c6f..3ef821e164 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@@ -1,6 +1,6 @@
---
title: Add or Remove Machine Tags API
-description: Use this API to Add or Remove machine tags.
+description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, tags, machine tags
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Add or Remove Machine Tags API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index d5802d8faf..16e7db9ecf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure advanced features in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -198,4 +201,4 @@ After configuring the [Security policy violation indicators](https://docs.micros
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications](configure-email-notifications.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index 669be788ad..55a5df13d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -19,6 +19,9 @@ ms.topic: article
# Advanced hunting query best practices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -89,4 +92,4 @@ DeviceProcessEvents
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
index cad9c6214b..80b4736768 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
@@ -20,6 +20,9 @@ ms.date: 01/22/2020
# DeviceAlertEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -50,4 +53,4 @@ For information on other tables in the advanced hunting schema, see [the advance
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
index a3844f8f21..33fbf6118f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
index 2e1e4ccfe6..e5a328a9db 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
@@ -20,6 +20,9 @@ ms.date: 01/14/2020
# DeviceFileCertificateInfo
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -55,4 +58,4 @@ For information on other tables in the advanced hunting schema, see [the advance
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
index 351be8cfc8..246f3b70bd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceFileEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
index 2327ce1a4e..7cd8fd9ebe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceImageLoadEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
index cc3663977a..b939d5ba59 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceInfo
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
index 1f7e4db8a1..17b769e2f3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceLogonEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
index 3defded189..77692cf8fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceNetworkEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -64,4 +67,4 @@ For information on other tables in the advanced hunting schema, see [the advance
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
\ No newline at end of file
+- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
index 82d860e259..8d919d89c0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceNetworkInfo
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
index 4c9e3d2d15..3d7fc8a005 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceProcessEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
index bff256d499..4ee7217b7c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceRegistryEvents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
index 0b1624d685..22e4e6aa6b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceTvmSecureConfigurationAssessment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
index a50f7b4988..d2b7ab5de4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceTvmSecureConfigurationAssessmentKB
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
index 6e83ac102d..a61d3499dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceTvmSoftwareInventoryVulnerabilities
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
index aa46c9d8a9..36a4097508 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
@@ -19,6 +19,9 @@ ms.topic: article
# DeviceTvmSoftwareVulnerabilitiesKB
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
index 5cd3f15a09..a34a79ae55 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
@@ -1,7 +1,7 @@
---
title: Overview of advanced hunting in Microsoft Defender ATP
description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
---
# Proactively hunt for threats with advanced hunting
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -41,12 +44,16 @@ You can also go through each of the following steps to ramp up your advanced hun
| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
-| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md) - [Custom detection rules](custom-detection-rules.md) |
+| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md) - [Custom detection rules](custom-detection-rules.md) |
-## Get help as you write queries
-Take advantage of the following functionality to write queries faster:
-- **Autosuggest** — as you write queries, advanced hunting provides suggestions from IntelliSense.
-- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
+## Data freshness and update frequency
+Advanced hunting data can be categorized into two distinct types, each consolidated differently:
+
+- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
+- **Entity data**—populates tables with consolidated information about users and devices. To provide fresh data, tables are updated every 15 minutes with any new information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
+
+## Time zone
+All time information in advanced hunting is currently in the UTC time zone.
## Related topics
- [Learn the query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
index 947c3638f3..7003a2670e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
@@ -19,6 +19,9 @@ ms.topic: article
# Learn the advanced hunting query language
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -144,11 +147,28 @@ Data in advanced hunting tables are generally classified into the following data
| `int` | 32-bit numeric value |
| `long` | 64-bit numeric value |
+## Get help as you write queries
+Take advantage of the following functionality to write queries faster:
+
+- **Autosuggest**—as you write queries, advanced hunting provides suggestions from IntelliSense.
+- **Schema tree**—a schema representation that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
+- **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries
+
+## Work with multiple queries in the editor
+The query editor can serve as your scratch pad for experimenting with multiple queries. To use multiple queries:
+
+- Separate each query with an empty line.
+- Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.
+
+
+_Query editor with multiple queries_
+
+
## Use sample queries
The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
-
+
> [!NOTE]
> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
index 34716e8296..97391fa308 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
@@ -19,13 +19,14 @@ ms.topic: article
# Work with advanced hunting query results
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-[!INCLUDE [Prerelease information](../../includes/prerelease.md)]
-
While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
- View results as a table or chart
@@ -139,4 +140,4 @@ Once you apply the filter to modify the query and then run the query, the result
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
\ No newline at end of file
+- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
index 94c74051a1..6a0361489c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
@@ -1,6 +1,6 @@
---
title: Advanced hunting schema reference
-description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on
+description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -20,6 +20,9 @@ ms.date: 01/14/2020
# Understand the advanced hunting schema
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -29,7 +32,20 @@ ms.date: 01/14/2020
The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
-## Schema tables
+## Get schema information in the security center
+While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:
+
+- **Tables description**—type of data contained in the table and the source of that data.
+- **Columns**—all the columns in the table.
+- **Action types**—possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.
+- **Sample query**—example queries that feature how the table can be utilized.
+
+### Access the schema reference
+To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table.
+
+
+
+## Learn the schema tables
The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
@@ -57,3 +73,4 @@ Table and column names are also listed within the Microsoft Defender Security Ce
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md)
- [Learn the query language](advanced-hunting-query-language.md)
+- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
index 677a74ca65..4eb3858c7f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
@@ -19,6 +19,9 @@ ms.topic: article
# Use shared queries in advanced hunting
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -63,4 +66,4 @@ Microsoft security researchers regularly share advanced hunting queries in a [de
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
\ No newline at end of file
+- [Learn the query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
index 4a29f349d6..5e96430994 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
@@ -20,6 +20,9 @@ ms.date: 09/03/2018
---
# Alerts queue in Microsoft Defender Security Center
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index c745548afb..9bf8d26a01 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -20,6 +20,9 @@ ms.date: 03/27/2020
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index 820026e626..67ed2be93e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -1,6 +1,6 @@
---
title: Get alerts API
-description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts.
+description: Learn about the methods and properties of the Alert resource type in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Alert resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
index 9022d913df..e8bb4f8847 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Configure Microsoft Defender ATP for Android features
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
index d2f56eeeb1..079bb71234 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Deploy Microsoft Defender ATP for Android with Microsoft Intune
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
@@ -30,87 +33,61 @@ device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-co
> [!NOTE]
-> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes.
-> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.**
+> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)**
+> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes.
+ Updates to the app are automatic via Google Play.
## Deploy on Device Administrator enrolled devices
**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device
Administrator enrolled devices**
-This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. Upgrade from the Preview APK to the GA version on Google Play would be supported.
+This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices.
-### Download the onboarding package
-
-Download the onboarding package from Microsoft Defender Security Center.
-
-1. In [Microsoft Defender Security
-Center](https://securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**.
-
-2. In the first drop-down, select **Android** as the Operating system.
-
-3. Select **Download Onboarding package** and save the downloaded .APK file.
-
- 
-
-### Add as Line of Business (LOB) App
-
-The downloaded Microsoft Defender ATP for Android onboarding package. It is a
-.APK file can be deployed to user groups as a Line of Business app during the
-preview from Microsoft Endpoint Manager Admin Center.
+### Add as Android store app
1. In [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add \> Line-of-business app** and click **Select**.
+**Android Apps** \> **Add \> Android store app** and click **Select**.
- 
+ 
-2. On the **Add app** page and in the *App Information* section, click **Select
-add package file** and then click the  icon and select the MDATP Universal APK file that was downloaded from the *Download Onboarding package* step.
+2. On the **Add app** page and in the *App Information* section enter:
- 
+ - **Name**
+ - **Description**
+ - **Publisher** as Microsoft.
+ - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP app Google Play Store URL)
+ Other fields are optional. Select **Next**.
-3. Select **OK**.
+ 
-4. In the *App Information* section that comes up, enter the **Publisher** as
-Microsoft. Other fields are optional and then select **Next**.
-
- 
-
-5. In the *Assignments* section, go to the **Required** section and select **Add
-group.** You can then choose the user group(s) that you would like to target
-Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
+3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
>[!NOTE]
>The selected user group should consist of Intune enrolled users.
- 
+ > [!div class="mx-imgBorder"]
+ > 
-6. In the **Review+Create** section, verify that all the information entered is
-correct and then select **Create**.
+4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
- In a few moments, the Microsoft Defender ATP app would be created successfully,
-and a notification would show up at the top-right corner of the page.
+ In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page.
-7. In the app information page that is displayed, in the **Monitor** section,
+5. In the app information page that is displayed, in the **Monitor** section,
select **Device install status** to verify that the device installation has
completed successfully.
- 
+ > [!div class="mx-imgBorder"]
+ > 
-During Public Preview, to **update** Microsoft Defender ATP for Android deployed
-as a Line of Business app, download the latest APK. Following the steps in
-*Download the onboarding package* section and follow instructions on how to [update
-a Line of Business
-App](https://docs.microsoft.com/mem/intune/apps/lob-apps-android#step-5-update-a-line-of-business-app).
-
### Complete onboarding and check status
1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon.
@@ -133,27 +110,21 @@ For more information on the enrollment options supported by Intune, see
[Enrollment
Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
-As Microsoft Defender ATP for Android is deployed via managed Google Play,
-updates to the app are automatic via Google Play.
-
Currently only Personal devices with Work Profile enrolled are supported for deployment.
->[!NOTE]
->During Public Preview, to access Microsoft Defender ATP in your managed Google Play, contact [atpm@microsoft.com](mailto:atpm@microsoft.com) with the organization ID of your managed Google Play for next steps. This can be found under the **Admin Settings** of [managed Google Play](https://play.google.com/work/).
-> At General Availability (GA), Microsoft Defender ATP for Android will be available as a public app. Upgrades from preview to GA version will be supported.
-## Add Microsoft Defender ATP for Android as a managed Google Play app
+## Add Microsoft Defender ATP for Android as a Managed Google Play app
-After receiving a confirmation e-mail from Microsoft that your managed Google
-Play organization ID has been approved, follow the steps below to add Microsoft
+Follow the steps below to add Microsoft
Defender ATP app into your managed Google Play.
1. In [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add** and select **managed Google Play app**.
+**Android Apps** \> **Add** and select **Managed Google Play app**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
2. On your managed Google Play page that loads subsequently, go to the search
@@ -167,7 +138,8 @@ ATP app from the Apps search result.
details on Microsoft Defender ATP. Review the information on the page and then
select **Approve**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
4. You should now be presented with the permissions that Microsoft Defender ATP
@@ -184,13 +156,15 @@ Android might ask. Review the choices and select your preferred option. Select
By default, managed Google Play selects *Keep approved when app requests new
permissions*
- 
+ > [!div class="mx-imgBorder"]
+ > 
6. After the permissions handling selection is made, select **Sync** to sync
Microsoft Defender ATP to your apps list.
- 
+ > [!div class="mx-imgBorder"]
+ > 
7. The sync will complete in a few minutes.
@@ -200,54 +174,61 @@ Microsoft Defender ATP to your apps list.
8. Select the **Refresh** button in the Android apps screen and Microsoft
Defender ATP should be visible in the apps list.
- 
+ > [!div class="mx-imgBorder"]
+ > 
9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
- a. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
+ 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
- 
+ 
- b. In the **Create app configuration policy** page, enter the following details:
+ 1. In the **Create app configuration policy** page, enter the following details:
+
- Name: Microsoft Defender ATP.
- Choose **Android Enterprise** as platform.
- Choose **Work Profile only** as Profile Type.
- Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
- c. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions
- - External storage (read)
- - External storage (write)
+ 1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions:
- Then select **OK**.
+ - External storage (read)
+ - External storage (write)
- 
+ Then select **OK**.
+
+ > [!div class="mx-imgBorder"]
+ > 
- d. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
+ 1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
- e. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.
+ 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.
- 
+ > [!div class="mx-imgBorder"]
+ > 
- f. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
+ 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
- The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
-
- 
+ The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
+ > [!div class="mx-imgBorder"]
+ > 
10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
**Assignments** \> **Edit**.
- 
+ 
11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of
@@ -255,7 +236,8 @@ the device via Company Portal app. This assignment can be done by navigating to
the *Required* section \> **Add group,** selecting the user group and click
**Select**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
12. In the **Edit Application** page, review all the information that was entered
@@ -268,7 +250,8 @@ assignment.
clicking on the **Device Install Status**. Verify that the device is
displayed here.
- 
+ > [!div class="mx-imgBorder"]
+ > 
2. On the device, you can confirm the same by going to the **work profile** and
@@ -279,7 +262,7 @@ confirm that Microsoft Defender ATP is available.
3. When the app is installed, open the app and accept the permissions
and then your onboarding should be successful.
- 
+ 
4. At this stage the device is successfully onboarded onto Microsoft Defender
ATP for Android. You can verify this on the [Microsoft Defender Security
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
new file mode 100644
index 0000000000..800e262876
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
@@ -0,0 +1,111 @@
+---
+title: Microsoft Defender ATP for Android - Privacy information
+description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Android.
+keywords: microsoft, defender, atp, android, privacy, diagnostic
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender ATP for Android - Privacy information
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
+
+
+Microsoft Defender ATP for Android collects information from your configured
+Android devices and stores it in the same tenant where you have Microsoft
+Defender ATP.
+
+Information is collected to help keep Microsoft Defender ATP for Android secure,
+up-to-date, performing as expected and to support the service.
+
+## Required Data
+
+Required data consists of data that is necessary to make Microsoft Defender ATP
+for Android work as expected. This data is essential to the operation of the
+service and can include data related to the end user, organization, device, and
+apps. Here's a list of the types of data being collected:
+
+### App information
+
+Information about Android application packages (APKs) on the device including
+
+- Install source
+- Storage location (file path) of the APK
+- Time of install, size of APK and permissions
+
+### Web page / Network information
+
+- Full URL (on supported browsers), when clicked
+- Connection information
+- Protocol type (such as HTTP, HTTPS, etc.)
+
+
+### Device and account information
+
+- Device information such as date & time, Android version, OEM model, CPU
+ info, and Device identifier
+- Device identifier is one of the below:
+ - Wi-Fi adapter MAC address
+ - [Android
+ ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID)
+ (as generated by Android at the time of first boot of the device)
+ - Randomly generated globally unique identifier (GUID)
+
+- Tenant, Device and User information
+ - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely
+ identifies the device, User respectively at Azure Active directory.
+
+ - Azure tenant ID - GUID that identifies your organization within
+ Azure Active Directory
+
+ - Microsoft Defender ATP org ID - Unique identifier associated with
+ the enterprise that the device belongs to. Allows Microsoft to
+ identify whether issues are impacting a select set of enterprises
+ and how many enterprises are impacted
+
+ - User Principal Name – Email ID of the user
+
+### Product and service usage data
+- App package info, including name, version, and app upgrade status
+
+- Actions performed in the app
+
+- Threat detection information, such as threat name, category, etc.
+
+- Crash report logs generated by Android
+
+## Optional Data
+
+Optional data includes diagnostic data and feedback data. Optional diagnostic
+data is additional data that helps us make product improvements and provides
+enhanced information to help us detect, diagnose, and fix issues. Optional
+diagnostic data includes:
+
+- App, CPU, and network usage
+
+- State of the device from the app perspective, including scan status, scan
+ timings, app permissions granted, and upgrade status
+
+- Features configured by the admin
+
+- Basic information about the browsers on the device
+
+**Feedback Data** is collected through in-app feedback provided by the user
+
+- The user’s email address, if they choose to provide it
+
+- Feedback type (smile, frown, idea) and any feedback comments submitted by
+ the user
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
new file mode 100644
index 0000000000..a989d91d73
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
@@ -0,0 +1,98 @@
+---
+title: Troubleshoot issues on Microsoft Defender ATP for Android
+ms.reviewer:
+description: Troubleshoot issues for Microsoft Defender ATP for Android
+keywords: microsoft, defender, atp, android, cloud, connectivity, communication
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Troubleshooting issues on Microsoft Defender ATP for Android
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for
+ Android](microsoft-defender-atp-android.md)
+
+During onboarding, you might encounter sign in issues after the app is installed on your device.
+
+This article provides solutions to address the sign on issues.
+
+## Sign in failed - unexpected error
+**Sign in failed:** *Unexpected error, try later*
+
+
+
+**Message:**
+
+Unexpected error, try later
+
+**Cause:**
+
+You have an older version of "Microsoft Authenticator" app installed on your
+device.
+
+**Solution:**
+
+Install latest version and of [Microsoft
+Authenticator](https://play.google.com/store/apps/details?androidid=com.azure.authenticator)
+from Google Play Store and try again
+
+## Sign in failed - invalid license
+
+**Sign in failed:** *Invalid license, please contact administrator*
+
+
+
+**Message:** *Invalid license, please contact administrator*
+
+**Cause:**
+
+You do not have Microsoft 365 license assigned, or your organization does not
+have a license for Microsoft 365 Enterprise subscription.
+
+**Solution:**
+
+Contact your administrator for help.
+
+## Phishing pages are not blocked on specific OEM devices
+
+**Applies to:** Specific OEMs only
+
+- **Xiaomi**
+
+Phishing and harmful web connection threats detected by Microsoft Defender ATP
+for Android are not blocked on some Xiaomi devices. The following functionality does not work on these devices.
+
+
+
+
+**Cause:**
+
+Xiaomi devices introduced a new permission that prevents Microsoft Defender ATP
+for Android app from displaying pop-up windows while running in the background.
+
+Xiaomi devices permission: "Display pop-up windows while running in the
+background."
+
+
+
+**Solution:**
+
+Enable the required permission on Xiaomi devices.
+
+- Display pop-up windows while running in the background.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
index c7309c2bb9..0d6e8dcd1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
@@ -20,6 +20,9 @@ hideEdit: true
---
# Microsoft Defender ATP for Android application license terms
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
index 09f3293f1a..7bc13986b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# API Explorer
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
index 88fd42601a..3163df4fcb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
@@ -19,6 +19,9 @@ ms.topic: article
# Microsoft Defender ATP API - Hello World
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
index e4a1dddb18..8d06eb8f1b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
@@ -19,6 +19,9 @@ ms.topic: article
# Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 1e157ea511..19a2f46e0c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -19,6 +19,9 @@ ms.topic: article
# Microsoft Defender ATP detections API fields
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
index a7f95c1789..9ed52103d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create custom reports using Power BI
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
index 1e42b10a63..b5e6b4ffb6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
@@ -18,6 +18,9 @@ ms.topic: article
# Microsoft Defender ATP API license and terms of use
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
## APIs
Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index aac9695165..09205163fe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Access the Microsoft Defender Advanced Threat Protection APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
index 1181ff8181..6eeaf5c729 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
@@ -20,6 +20,9 @@ ms.date: 11/28/2018
# Assign user access to Microsoft Defender Security Center
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Azure Active Directory
- Office 365
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
index 492d7037dc..4726e2223f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@@ -20,6 +20,9 @@ ms.date: 11/20/2018
# Experience Microsoft Defender ATP through simulated attacks
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -64,4 +67,4 @@ Read the walkthrough document provided with each attack scenario. Each document
## Related topics
- [Onboard devices](onboard-configure.md)
-- [Onboard Windows 10 devices](configure-endpoints.md)
\ No newline at end of file
+- [Onboard Windows 10 devices](configure-endpoints.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
index 992ba51235..0175049c55 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
@@ -18,6 +18,9 @@ ms.custom: asr
# Attack surface reduction frequently asked questions (FAQ)
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index dde4d8932b..21443608c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -3,7 +3,6 @@ title: Use attack surface reduction rules to prevent malware infection
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ ms.custom: asr
# Reduce attack surfaces with attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -290,7 +292,7 @@ This rule helps prevent credential stealing, by locking down Local Security Auth
LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
> [!NOTE]
-> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
This rule was introduced in:
- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
index db8dec5ba9..8a4304b984 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@@ -1,9 +1,8 @@
---
-title: Test how Microsoft Defender ATP features work
-description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it were enabled
+title: Test how Microsoft Defender ATP features work in audit mode
+description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled.
keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,28 +11,30 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 04/02/2019
ms.reviewer:
manager: dansimp
---
-# Use audit mode
+# Test how Microsoft Defender ATP features work in audit mode
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
+You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
-You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+You may want to enable audit mode when testing how the features will work in your organization. Ensure it doesn't affect your line-of-business apps, and get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
-While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
+The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled.
To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
+This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index cb7648e275..d8526c28d0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -14,10 +14,14 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.reviewer: ramarom, evaldm, isco, mabraitm
---
# View details and results of automated investigations
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically.
If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index f0292e125f..8c81015728 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -10,27 +10,33 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
+ms.date: 09/03/2020
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.reviewer: ramarom, evaldm, isco, mabraitm
+ms.custom: AIR
---
# Overview of automated investigations
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
-Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
+Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities.
-The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
+Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated.
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
## How the automated investigation starts
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@@ -41,7 +47,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
## Details of an automated investigation
-During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
+During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
|Tab |Description |
|--|--|
@@ -50,7 +56,7 @@ During and after an automated investigation, you can view details about the inve
|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
-|**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. |
+|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
> [!IMPORTANT]
> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
@@ -59,28 +65,43 @@ During and after an automated investigation, you can view details about the inve
While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
-If an incriminated entity is seen in another device, the automated investigation process will expand its scope to include that device, and a general security playbook will start on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
+If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the **Pending actions** tab.
## How threats are remediated
-Depending on how you set up the device groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
+Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats.
+
+> [!NOTE]
+> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
-|No automated response | Devices do not get any automated investigations run on them. |
-|Semi - require approval for any remediation | This is the default automation level.
An approval is needed for any remediation action. |
-|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.|
-|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders will automatically be remediated if needed.|
-|Full - remediate threats automatically | All remediation actions will be performed automatically.|
+|**Full - remediate threats automatically** | All remediation actions are performed automatically.
***This option is recommended** and is selected by default for Microsoft Defender ATP tenants that were created on or after August 16, 2020, and that have no device groups defined. If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.*|
+|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.
Files or executables in all other folders are automatically remediated, if needed.|
+|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.
Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).|
+|**Semi - require approval for any remediation** | An approval is needed for any remediation action.
*This option is selected by default for Microsoft Defender ATP tenants that were created before August 16, 2020, and that have no device groups defined. If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
+|**No automated response** | Devices do not get any automated investigations run on them.
***This option is not recommended**, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* |
-> [!TIP]
-> For more information on how to configure these automation levels, see [Create and manage device groups](machine-groups.md).
-The default device group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed.
+> [!IMPORTANT]
+> Regarding automation levels and default settings:
+> - If your tenant already has device groups defined, the automation level settings are not changed for those device groups.
+> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
+> - If your tenant was onboarded to Microsoft Defender ATP *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**.
+> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
+> - If your tenant was onboarded to Microsoft Defender ATP *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
+> - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
-When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
+
+### A few points to keep in mind
+
+- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
+
+- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed.
+
+- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
## Next steps
@@ -88,8 +109,8 @@ When a pending action is approved, the entity is then remediated and this new st
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
-## Related articles
+## See also
- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
\ No newline at end of file
+- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
index d9ced772ad..2d1aa8f368 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Use basic permissions to access the portal
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- Azure Active Directory
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
index 04569f6785..e9516735d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
@@ -20,6 +20,9 @@ ms.collection:
# Behavioral blocking and containment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -90,7 +93,7 @@ While the attack was detected and stopped, alerts, such as an "initial access al
This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
-### Example 2: NTML relay - Juicy Potato malware variant
+### Example 2: NTLM relay - Juicy Potato malware variant
As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
index 621f338029..9e38e27515 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Check sensor health state in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
index 19fabebbdf..fee9bbd249 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
@@ -20,6 +20,9 @@ ms.collection:
# Client behavioral blocking
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
index d8929fdd67..398305b848 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
@@ -19,6 +19,9 @@ ms.topic: article
# Collect investigation package API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
index 558f93dfb9..3642376253 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender ATP for US Government GCC High customers
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -56,7 +59,7 @@ The following OS versions are not supported:
- macOS
- Linux
-The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019:
+The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2020:
## Threat Analytics
Not currently available.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
index bcc6ba7dc3..d34460c4bf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
@@ -18,6 +18,9 @@ ms.topic: article
# Common REST API error codes
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs.
* Note that in addition to the error code, every error response contains an error message which can help resolving the problem.
* Note that the message is a free text that can be changed.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md
index 78f18ff20e..7a83827fc5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/community.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/community.md
@@ -21,6 +21,9 @@ ms.date: 04/24/2018
# Access the Microsoft Defender ATP Community Center
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
index fb8e70489a..edcabf4028 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
@@ -19,6 +19,9 @@ ms.topic: article
# Enable Conditional Access to better protect users, devices, and data
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
index 2dc93956ba..2a2e4d3535 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
@@ -103,8 +106,8 @@ The following steps assume that you have completed all the required steps in [Be
For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
Events URL
-
Depending on the location of your datacenter, select either the EU or the US URL: For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+
Depending on the location of your datacenter, select either the EU or the US URL: For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+ For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
Authentication Type
OAuth 2
@@ -113,7 +116,7 @@ The following steps assume that you have completed all the required steps in [Be
Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded.
Refresh Token
-
You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.
For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP. Get your refresh token using the restutil tool: a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool. b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the Refresh Token field.
+
You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.
For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP. Get your refresh token using the restutil tool: a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool. b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the Refresh Token field.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index 50726aa946..736ab0b846 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Configure attack surface reduction
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
You can configure attack surface reduction with a number of tools, including:
* Microsoft Intune
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
index a4c17d2c2a..c5015477eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
@@ -15,10 +15,14 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.reviewer: ramarom, evaldm, isco, mabraitm
---
# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
index 944a823a64..8946b66493 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Configure Conditional Access in Microsoft Defender ATP
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index e605898b2f..18ba591b16 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure alert notifications in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -95,5 +98,4 @@ This section lists various issues that you may encounter when using email notifi
## Related topics
- [Update data retention settings](data-retention-settings.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index 3f0a7dcdd7..36703ec3a4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Onboard Windows 10 devices using Group Policy
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Group Policy
@@ -101,6 +104,75 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
> If you don't set a value, the default value is to enable sample collection.
+## Other recommended configuration settings
+
+### Update endpoint protection configuration
+
+After configuring the onboarding script, continue editing the same group policy to add endpoint protection configurations. Perform group policy edits from a system running Windows 10 or Server 2019 to ensure you have all of the required Microsoft Defender Antivirus capabilities. You may need to close and reopen the group policy object to register the Defender ATP configuration settings.
+
+All policies are located under `Computer Configuration\Policies\Administrative Templates`.
+
+**Policy location:** \Windows Components\Windows Defender ATP
+
+Policy | Setting
+:---|:---
+Enable\Disable Sample collection| Enabled - "Enable sample collection on machines" checked
+
+
+**Policy location:** \Windows Components\Windows Defender Antivirus
+
+Policy | Setting
+:---|:---
+Configure detection for potentially unwanted applications | Enabled, Block
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\MAPS
+
+Policy | Setting
+:---|:---
+Join Microsoft MAPS | Enabled, Advanced MAPS
+Send file samples when further analysis is required | Enabled, Send safe samples
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\Real-time Protection
+
+Policy | Setting
+:---|:---
+Turn off real-time protection|Disabled
+Turn on behavior monitoring|Enabled
+Scan all downloaded files and attachments|Enabled
+Monitor file and program activity on your computer|Enabled
+
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\Scan
+
+These settings configure periodic scans of the endpoint. We recommend performing a weekly quick scan, performance permitting.
+
+Policy | Setting
+:---|:---
+Check for the latest virus and spyware security intelligence before running a scheduled scan |Enabled
+
+
+
+**Policy location:** \Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
+
+Get the current list of attack surface reduction GUIDs from [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
+
+1. Open the **Configure Attack Surface Reduction** policy.
+2. Select **Enabled**.
+3. Select the **Show…** button.
+4. Add each GUID in the **Value Name** field with a Value of 2.
+
+This will set each up for audit only.
+
+
+
+
+
+Policy | Setting
+:---|:---
+Configure Controlled folder access| Enabled, Audit Mode
+
+
+
## Offboard devices using Group Policy
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index b06ae2ef0e..439c8e61f3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -15,11 +15,13 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/06/2018
---
# Onboard Windows 10 devices using Mobile Device Management tools
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
@@ -51,6 +53,8 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
>[!TIP]
> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
+
+
## Offboard and monitor devices using Mobile Device Management tools
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
index e59d230fb9..82e701c6e9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
@@ -19,6 +19,9 @@ ms.topic: article
# Onboard non-Windows devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- macOS
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index 5ad42ec668..edc7d67d77 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -20,6 +20,9 @@ ms.date: 02/07/2020
# Onboard Windows 10 devices using Configuration Manager
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -28,17 +31,24 @@ ms.date: 02/07/2020
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
-
+## Supported client operating systems
-## Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager current branch
+Based on the version of Configuration Manager you're running, the following client operating systems can be onboarded:
-Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
+#### Configuration Manager version 1910 and prior
-
+- Clients computers running Windows 10, version 1607 and later
-## Onboard Windows 10 devices using earlier versions of System Center Configuration Manager
+#### Configuration Manager version 2002 and later
-You can use existing Configuration Manager functionality to create a policy to configure your devices. This action is supported in System Center 2012 R2 Configuration Manager.
+Starting in Configuration Manager version 2002, you can onboard the following operating systems:
+
+- Windows 8.1
+- Windows 10, version 1607 or later
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server 2016, version 1803 or later
+- Windows Server 2019
### Onboard devices using System Center Configuration Manager
@@ -50,7 +60,7 @@ You can use existing Configuration Manager functionality to create a policy to c
c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
- d. Click **Download package**, and save the .zip file.
+ d. Select **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
@@ -75,7 +85,11 @@ For more information, see [Configure Detection Methods in System Center 2012 R2
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
-You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a device.
+>[!NOTE]
+>These configuration settings are typically done through Configuration Manager.
+
+You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
+
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they’re complaint.
The configuration is set through the following registry key entry:
@@ -93,13 +107,49 @@ Possible values are:
The default value in case the registry key doesn’t exist is 1.
-For more information about System Center Configuration Manager Compliance see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
+For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
+## Other recommended configuration settings
+After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.
+
+### Device collection configuration
+If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
+
+
+### Next generation protection configuration
+The following configuration settings are recommended:
+
+**Scan**
+- Scan removable storage devices such as USB drives: Yes
+
+**Real-time Protection**
+- Enable Behavioral Monitoring: Yes
+- Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes
+
+**Cloud Protection Service**
+- Cloud Protection Service membership type: Advanced membership
+
+**Attack surface reduction**
+Configure all available rules to Audit.
+
+>[!NOTE]
+> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
+
+
+**Network protection**
+Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/en-us/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing).
+
+
+**Controlled folder access**
+Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories.
+
+For more information, see [Evaluate controlled folder access](evaluate-controlled-folder-access.md).
+
## Offboard devices using Configuration Manager
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
@@ -118,7 +168,7 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create
c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
- d. Click **Download package**, and save the .zip file.
+ d. Select **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
@@ -144,13 +194,13 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists
1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane.
-2. Click **Overview** and then **Deployments**.
+2. Select **Overview** and then **Deployments**.
-3. Click on the deployment with the package name.
+3. Select on the deployment with the package name.
4. Review the status indicators under **Completion Statistics** and **Content Status**.
- If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
+ If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
index ebc09038ff..70821568d1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
@@ -19,6 +19,9 @@ ms.topic: article
# Onboard Windows 10 devices using a local script
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
@@ -31,30 +34,32 @@ ms.topic: article
You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network.
-> [!NOTE]
-> The script has been optimized to be used on a limited number of devices (1-10 devices). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 devices](configure-endpoints.md).
+> [!IMPORTANT]
+> This script has been optimized for use on up to 10 devices.
+>
+> To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md).
## Onboard devices
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
- a. In the navigation pane, select **Settings** > **Onboarding**.
+ 1. In the navigation pane, select **Settings** > **Onboarding**.
- b. Select Windows 10 as the operating system.
+ 1. Select Windows 10 as the operating system.
- c. In the **Deployment method** field, select **Local Script**.
+ 1. In the **Deployment method** field, select **Local Script**.
- d. Click **Download package** and save the .zip file.
+ 1. Click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the device and run the script:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
- 
+ 
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd*
@@ -73,7 +78,7 @@ You can manually configure the sample sharing setting on the device by using *re
The configuration is set through the following registry key entry:
-```
+```console
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "AllowSampleCollection"
Value: 0 or 1
@@ -95,23 +100,23 @@ For security reasons, the package used to Offboard devices will expire 30 days a
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
- a. In the navigation pane, select **Settings** > **Offboarding**.
+ 1. In the navigation pane, select **Settings** > **Offboarding**.
- b. Select Windows 10 as the operating system.
+ 1. Select Windows 10 as the operating system.
- c. In the **Deployment method** field, select **Local Script**.
+ 1. In the **Deployment method** field, select **Local Script**.
- d. Click **Download package** and save the .zip file.
+ 1. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the device and run the script:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
- 
+ 
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 32e7e448f6..03c9870858 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -20,6 +20,9 @@ ms.date: 04/16/2020
# Onboard non-persistent virtual desktop infrastructure (VDI) devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Virtual desktop infrastructure (VDI) devices
@@ -30,6 +33,9 @@ ms.date: 04/16/2020
## Onboard non-persistent virtual desktop infrastructure (VDI) devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Microsoft Defender ATP supports non-persistent VDI session onboarding.
>[!Note]
@@ -63,25 +69,21 @@ The following steps will guide you through onboarding VDI devices and will highl
1. Click **Download package** and save the .zip file.
-2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
+2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
- >[!NOTE]
- >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
+ 1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.
-3. The following step is only applicable if you're implementing a single entry for each device:
- **For single entry for each device**:
+ 1. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
- 1. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
+ > [!NOTE]
+ > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
- > [!NOTE]
- > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
-
-4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
+3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
> [!NOTE]
> Domain Group Policy may also be used for onboarding non-persistent VDI devices.
-5. Depending on the method you'd like to implement, follow the appropriate steps:
+4. Depending on the method you'd like to implement, follow the appropriate steps:
**For single entry for each device**:
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
@@ -90,7 +92,7 @@ The following steps will guide you through onboarding VDI devices and will highl
Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
-6. Test your solution:
+5. Test your solution:
1. Create a pool with one device.
@@ -103,9 +105,9 @@ The following steps will guide you through onboarding VDI devices and will highl
1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
**For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
-7. Click **Devices list** on the Navigation pane.
+6. Click **Devices list** on the Navigation pane.
-8. Use the search function by entering the device name and select **Device** as search type.
+7. Use the search function by entering the device name and select **Device** as search type.
## Updating non-persistent virtual desktop infrastructure (VDI) images
As a best practice, we recommend using offline servicing tools to patch golden/master images.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
index 867e457571..b77d79c856 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Onboarding tools and methods for Windows 10 devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
@@ -44,4 +47,4 @@ Topic | Description
[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index 42f46bd701..db418af7ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -19,6 +19,9 @@ ms.topic: article
# Optimize ASR rule deployment and detections
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
index c189165c5f..eb72937f89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@@ -19,6 +19,9 @@ ms.topic: article
# Get devices onboarded to Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
index 958fa4756c..d8200f1502 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@@ -19,6 +19,9 @@ ms.topic: article
# Increase compliance to the Microsoft Defender ATP security baseline
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
index 3e3bb64cc8..1b1b0495eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Ensure your devices are configured properly
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -78,4 +81,4 @@ Topic | Description
[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
index 0be1734f27..c7d22f6095 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@@ -19,6 +19,9 @@ ms.topic: article
---
# Configure and manage Microsoft Threat Experts capabilities
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
index b7c4bf19d6..4455735f4f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure alert notifications that are sent to MSSPs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -43,4 +46,4 @@ These check boxes must be checked:
## Related topics
- [Grant MSSP access to the portal](grant-mssp-access.md)
- [Access the MSSP customer portal](access-mssp-portal.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index 98599b9d18..fa877ecd83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure managed security service provider integration
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -63,6 +66,8 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
- **Fetch alerts from MSSP customer's tenant using APIs**
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
+## Multi-tenant access for MSSPs
+For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 18707f606c..d115e3867d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure device proxy and Internet connectivity settings
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -111,7 +114,7 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
-If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
+If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
> [!NOTE]
> settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.
@@ -150,7 +153,7 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
- \+\
- \+\
-You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
+You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=56519).
> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 99ed32fda4..38b47a18f9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -19,6 +19,9 @@ ms.topic: article
# Onboard Windows servers to the Microsoft Defender ATP service
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Windows Server 2008 R2 SP1
@@ -140,8 +143,8 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo
- [Local script](configure-endpoints-script.md)
- [Group Policy](configure-endpoints-gp.md)
-- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md#onboard-windows-10-devices-using-microsoft-endpoint-configuration-manager-current-branch)
-- [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
+- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
+- [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md)
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index a72dbb0a7b..2767826ed6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -19,6 +19,9 @@ ms.topic: article
# Pull detections to your SIEM tools
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
index bc7f7201e2..69775ff5c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Connected applications in Microsoft Defender ATP
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 6efcb63fd5..e4e8f5ec72 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -1,19 +1,17 @@
---
title: Prevent ransomware and threats from encrypting and changing files
-description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files.
+description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: denisebmsft
ms.author: deniseb
audience: ITPro
-ms.date: 08/05/2019
+ms.date: 08/25/2020
ms.reviewer: v-maave
manager: dansimp
ms.custom: asr
@@ -21,25 +19,32 @@ ms.custom: asr
# Protect important folders with controlled folder access
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the Microsoft Endpoint Configuration Manager and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+## What is controlled folder access?
-Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders.
+Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices).
-Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
+Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+
+## How does controlled folder access work?
+
+Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
+
+Controlled folder access works with a list of trusted software. If an app is included in the list of trusted software, the app works as expected. If not, the app is blocked from making any changes to files that are inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
-Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
-
-With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
@@ -47,13 +52,13 @@ Controlled folder access is supported on Windows 10, version 1709 and later and
Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md).
-## Review controlled folder access events in the Microsoft Defender ATP Security Center
+## Review controlled folder access events in the Microsoft Defender Security Center
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
-Here is an example query
+Example query:
```PowerShell
DeviceEvents
@@ -68,24 +73,42 @@ You can review the Windows event log to see events that are created when control
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-3. On the left panel, under **Actions**, click **Import custom view...**.
+3. On the left panel, under **Actions**, select **Import custom view...**.
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
5. Click **OK**.
-This will create a custom view that filters to only show the following events related to controlled folder access:
+After following the procedure, you have created a custom view that shows events related to controlled folder access, as listed in the following table:
-Event ID | Description
--|-
-5007 | Event when settings are changed
-1124 | Audited controlled folder access event
-1123 | Blocked controlled folder access event
+|Event ID | Description |
+|---|---|
+|5007 | Event when settings are changed |
+|1124 | Audited controlled folder access event |
+|1123 | Blocked controlled folder access event |
-## In this section
+## View or change the list of protected folders
-Topic | Description
--|-
-[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-[Enable controlled folder access](enable-controlled-folders.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
-[Customize controlled folder access](customize-controlled-folders.md) | Add additional protected folders, and allow specified apps to access protected folders.
+### Windows 10 security app
+
+1. On your Windows 10 device, open the Windows Security app.
+
+2. Select **Virus & threat protection**.
+
+3. Under **Ransomware protection**, select **Manage ransomware protection**.
+
+4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**.
+
+5. Do one of the following steps:
+
+ - To add a folder, select **+ Add a protected folder**.
+
+ - To remove a folder, select it, and then select **Remove**.
+
+## See also
+
+- [Evaluate controlled folder access](evaluate-controlled-folder-access.md). Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
+
+- [Enable controlled folder access](enable-controlled-folders.md). Use Group Policy, PowerShell, or mobile device management CSPs to enable and manage controlled folder access in your network
+
+- [Customize controlled folder access](customize-controlled-folders.md). Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index d08c4e2bba..e02de4aa8b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -1,6 +1,6 @@
---
title: Create alert from event API
-description: Creates an alert using event details
+description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Create alert API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 7481a4362e..79ab34fce9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -1,7 +1,7 @@
---
-title: Create and manage custom detection rules in Microsoft Defender ATP
+title: Create custom detection rules in Microsoft Defender ATP
ms.reviewer:
-description: Learn how to create and manage custom detection rules based on advanced hunting queries
+description: Learn how to create custom detection rules based on advanced hunting queries
keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -18,22 +18,30 @@ ms.collection: M365-security-compliance
ms.topic: article
---
+# Create custom detection rules
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-# Create and manage custom detection rules
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-> [!NOTE]
-> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
-## Create a custom detection rule
-### 1. Prepare the query.
+## 1. Check required permissions
-In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-#### Required columns in the query results
+## 2. Prepare the query
+
+In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
+
+>[!IMPORTANT]
+>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
+
+
+### Required columns in the query results
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
@@ -48,83 +56,60 @@ DeviceEvents
| where count_ > 5
```
-### 2. Create new rule and provide alert details.
+## 3. Create new rule and provide alert details
With the query in the query editor, select **Create detection rule** and specify the following alert details:
-- **Detection name** — name of the detection rule
-- **Frequency** — interval for running the query and taking action. [See additional guidance below](#rule-frequency)
-- **Alert title** — title displayed with alerts triggered by the rule
-- **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
-- **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
-- **Description** — more information about the component or activity identified by the rule
-- **Recommended actions** — additional actions that responders might take in response to an alert
+- **Detection name**—name of the detection rule
+- **Frequency**—interval for running the query and taking action. [See additional guidance below](#rule-frequency)
+- **Alert title**—title displayed with alerts triggered by the rule
+- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
+- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
+- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
+- **Description**—more information about the component or activity identified by the rule
+- **Recommended actions**—additional actions that responders might take in response to an alert
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
-#### Rule frequency
+### Rule frequency
When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
-- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days
-- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours
-- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours
-- **Every hour** — runs hourly, checking data from the past 2 hours
+- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
+- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
+- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
+- **Every hour**—runs hourly, checking data from the past 2 hours
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
-### 3. Specify actions on files or devices.
+## 4. Specify actions on files or devices
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
-#### Actions on devices
+### Actions on devices
These actions are applied to devices in the `DeviceId` column of the query results:
-- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
-- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
-- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the device
-- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device
+- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
+- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
+- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
+- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
-#### Actions on files
+### Actions on files
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
-- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
-- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
+- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
+- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
-### 4. Click **Create** to save and turn on the rule.
-After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
+## 5. Set the rule scope
+Set the scope to specify which devices are covered by the rule:
-## Manage existing custom detection rules
-In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+- All devices
+- Specific device groups
-### View existing rules
+Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
-To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
+## 6. Review and turn on the rule
+After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
-- **Last run** — when a rule was last run to check for query matches and generate alerts
-- **Last run status** — whether a rule ran successfully
-- **Next run** — the next scheduled run
-- **Status** — whether a rule has been turned on or off
-### View rule details, modify rule, and run rule
-
-To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information:
-
-- General information about the rule, including the details of the alert, run status, and scope
-- List of triggered alerts
-- List of triggered actions
-
-
-*Custom detection rule page*
-
-You can also take the following actions on the rule from this page:
-
-- **Run** — run the rule immediately. This also resets the interval for the next run.
-- **Edit** — modify the rule without changing the query
-- **Modify query** — edit the query in advanced hunting
-- **Turn on** / **Turn off** — enable the rule or stop it from running
-- **Delete** — turn off the rule and remove it
-
->[!TIP]
->To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
-
-## Related topic
+## Related topics
+- [View and manage detection rules](custom-detections-manage.md)
- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
new file mode 100644
index 0000000000..855bd65993
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
@@ -0,0 +1,70 @@
+---
+title: View and manage custom detection rules in Microsoft Defender ATP
+ms.reviewer:
+description: Learn how to view and manage custom detection rules
+keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+
+# View and manage custom detection rules
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+
+## Required permissions
+
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+
+## View existing rules
+
+To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
+
+- **Last run**—when a rule was last run to check for query matches and generate alerts
+- **Last run status**—whether a rule ran successfully
+- **Next run**—the next scheduled run
+- **Status**—whether a rule has been turned on or off
+
+## View rule details, modify rule, and run rule
+
+To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the following information:
+
+- General information about the rule, including the details of the alert, run status, and scope
+- List of triggered alerts
+- List of triggered actions
+
+
+*Custom detection rule page*
+
+You can also take the following actions on the rule from this page:
+
+- **Run**—run the rule immediately. This action also resets the interval for the next run.
+- **Edit**—modify the rule without changing the query
+- **Modify query**—edit the query in advanced hunting
+- **Turn on** / **Turn off**—enable the rule or stop it from running
+- **Delete**—turn off the rule and remove it
+
+>[!TIP]
+>To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
+
+## Related topics
+- [Custom detections overview](overview-custom-detections.md)
+- [Create detection rules](custom-detection-rules.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [View and organize alerts](alerts-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index a7c6223e18..2773f28ed5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -1,24 +1,24 @@
---
-title: Configure how attack surface reduction rules work to fine-tune protection in your network
-description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
+title: Customize attack surface reduction rules
+description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
# Customize attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -35,21 +35,21 @@ You can set attack surface reduction rules for devices running any of the follow
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings.
## Exclude files and folders
-You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
+You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
> [!WARNING]
> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule.
+An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
Rule description | GUID
-|-|-
@@ -73,20 +73,20 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
### Use Group Policy to exclude files and folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
### Use PowerShell to exclude files and folders
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -104,7 +104,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+You can customize the notification for when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 6a0da83f4f..f35a4eefd9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -1,31 +1,31 @@
---
-title: Add additional folders and apps to be protected
-description: Add additional folders that should be protected by Controlled folder access, or allow apps that are incorrectly blocking changes to important files.
+title: Customize controlled folder access
+description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/13/2019
ms.reviewer:
manager: dansimp
---
# Customize controlled folder access
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
-This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
+This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
* [Add additional folders to be protected](#protect-additional-folders)
* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
@@ -37,11 +37,9 @@ This topic describes how to customize the following settings of the controlled f
## Protect additional folders
-Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
+Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list.
-You can add additional folders to be protected, but you cannot remove the default folders in the default list.
-
-Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
+Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults.
You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
@@ -49,27 +47,27 @@ You can use the Windows Security app or Group Policy to add and remove additiona
### Use the Windows Security app to protect additional folders
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**:
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
-3. Under the **Controlled folder access** section, click **Protected folders**
+3. Under the **Controlled folder access** section, select **Protected folders**.
-4. Click **Add a protected folder** and follow the prompts to add apps.
+4. Select **Add a protected folder** and follow the prompts to add apps.
### Use Group Policy to protect additional folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
-4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
+4. Double-click **Configured protected folders** and set the option to **Enabled**. Select **Show** and enter each folder.
### Use PowerShell to protect additional folders
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -89,41 +87,41 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
## Allow specific apps to make changes to controlled folders
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
+You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature.
> [!IMPORTANT]
> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
-When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access.
-An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
+An allowed application or service only has write access to a controlled folder after it starts. For example, an update service will continue to trigger events after it's allowed until it is stopped and restarted.
### Use the Windows Defender Security app to allow specific apps
-1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
-3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
+3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access**
-4. Click **Add an allowed app** and follow the prompts to add apps.
+4. Select **Add an allowed app** and follow the prompts to add apps.
### Use Group Policy to allow specific apps
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
-4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
+4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Select **Show** and enter each app.
### Use PowerShell to allow specific apps
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -149,7 +147,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications]
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index 13358eb288..081c5218c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -1,35 +1,35 @@
---
-title: Enable or disable specific mitigations used by Exploit protection
+title: Customize exploit protection
keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
-description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
+description: You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 03/26/2019
ms.reviewer:
manager: dansimp
---
# Customize exploit protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-You configure these settings using the Windows Security app on an individual device, and then export the configuration as an XML file that you can deploy to other devices. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
+Configure these settings using the Windows Security app on an individual device. Then, export the configuration as an XML file so you can deploy to other devices. Use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
-This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+This article lists each of the mitigations available in exploit protection. It indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
-It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
+It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating, exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
> [!WARNING]
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
@@ -38,20 +38,20 @@ It also describes how to enable or configure the mitigations using Windows Secur
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
-You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
+You can set each of the mitigations on, off, or to their default value. Some mitigations have additional options that are indicated in the description in the table.
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
-For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
+For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article.
Mitigation | Description | Can be applied to | Audit mode available
-|-|-|-
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
@@ -61,14 +61,14 @@ Block untrusted fonts | Prevents loading any GDI-based fonts not installed in th
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
> [!IMPORTANT]
> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@@ -107,9 +107,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
### Configure system-level mitigations with the Windows Security app
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
* **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
@@ -125,14 +125,14 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
5. Go to the **Program settings** section and choose the app you want to apply mitigations to:
- 1. If the app you want to configure is already listed, click it and then click **Edit**
- 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
+ 1. If the app you want to configure is already listed, select it and then select **Edit**
+ 2. If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app:
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, select the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat these steps for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
@@ -204,7 +204,7 @@ Where:
You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
- For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
+ For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command:
```PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
@@ -250,12 +250,11 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
-## Related topics
+## See also
* [Protect devices from exploits](exploit-protection.md)
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Enable exploit protection](enable-exploit-protection.md)
* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index 9cc9cb48ba..f1483165c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Verify data storage location and update data retention settings for Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
@@ -50,5 +53,4 @@ You can verify the data location by navigating to **Settings** > **Data retentio
## Related topics
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
index 6eb879daae..6e76ce4bee 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender ATP data storage and privacy
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
index 50ce80ff33..fa43e76e73 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Microsoft Defender Antivirus compatibility with Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
index 1c03a39e93..1dd2b90d07 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
@@ -1,6 +1,6 @@
---
title: Delete Indicator API.
-description: Deletes Indicator entity by ID.
+description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, public api, supported apis, delete, ti indicator, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Delete Indicator API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
index 350568b2e5..000dafbddd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
@@ -20,6 +20,9 @@ ms.topic: article
---
# Deployment phases
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -41,13 +44,15 @@ There are several methods you can use to onboard to the service. For information
## In Scope
The following is in scope for this deployment guide:
+
- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
+
- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
capabilities
- - Next Generation Protection
+ - Next-generation protection
- - Attack Surface Reduction
+ - Attack surface reduction
- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
capabilities including automatic investigation and remediation
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
index 47e19acae2..cd066db719 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Plan your Microsoft Defender ATP deployment strategy
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
index f972394dc4..7b99cd69cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md
@@ -17,6 +17,9 @@ ms.topic: article
---
# Microsoft Defender ATP device timeline event flags
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Event flags in the Microsoft Defender ATP device timeline help you filter and organize specific events when you're investigate potential attacks.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
index 84b5f2a664..bd35122350 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index 12436534f1..a92e2b43c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -15,21 +15,28 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
-ms.collection:
+ms.date: 08/21/2020
---
# Endpoint detection and response (EDR) in block mode
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## What is EDR in block mode?
-When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
+When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Microsoft Defender ATP blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach.
+
+EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled.
+
+:::image type="content" source="images/edrblockmode-TVMrecommendation.png" alt-text="recommendation to turn on EDR in block mode":::
> [!NOTE]
-> EDR in block mode is currently in private preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
+> EDR in block mode is currently in preview, available to organizations who have opted in to receive **[preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
## What happens when something is detected?
@@ -37,7 +44,7 @@ When EDR in block mode is turned on, and a malicious artifact is detected, block
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
-:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="EDR in block mode detected something":::
+:::image type="content" source="images/edr-in-block-mode-detection.png" alt-text="EDR in block mode detected something":::
## Enable EDR in block mode
@@ -83,7 +90,9 @@ Because Microsoft Defender Antivirus detects and remediates malicious items, it'
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
-## Related articles
+## See also
+
+[Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
[Behavioral blocking and containment](behavioral-blocking-containment.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
deleted file mode 100644
index 040f644860..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Compare the features in Exploit protection with EMET
-keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
-description: Exploit protection in Microsoft Defender ATP is our successor to Enhanced Mitigation Experience Toolkit (EMET) and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.date: 08/08/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> [!IMPORTANT]
-> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
->
-> You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP.
-
-Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
-
-EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
-
-After July 31, 2018, it will not be supported.
-
-For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
-
-* [Protect devices from exploits](exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-
-## Mitigation comparison
-
-The mitigations available in EMET are included in Windows Defender, under the [exploit protection feature](exploit-protection.md).
-
-The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
-
-Mitigation | Available in Windows Defender | Available in EMET
--|-|-
-Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-
-> [!NOTE]
-> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
->
-> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-
-## Related topics
-
-* [Protect devices from exploits with Windows Defender](exploit-protection.md)
-* [Evaluate exploit protection](evaluate-exploit-protection.md)
-* [Enable exploit protection](enable-exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 2506f2934b..36216eb833 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -1,9 +1,8 @@
---
-title: Enable attack surface reduction rules individually to protect your organization
+title: Enable attack surface reduction rules
description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,13 +11,15 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 06/04/2020
ms.reviewer:
manager: dansimp
---
# Enable attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows:
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
@@ -69,11 +70,11 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
-3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
+3. Under **Attack Surface Reduction exceptions**, enter individual files and folders. You can also select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
`C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
-4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
+4. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
## MDM
@@ -104,32 +105,32 @@ Example:
## Microsoft Endpoint Configuration Manager
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-2. Click **Home** > **Create Exploit Guard Policy**.
+2. Select **Home** > **Create Exploit Guard Policy**.
-3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
+3. Enter a name and a description, select **Attack Surface Reduction**, and select **Next**.
-4. Choose which rules will block or audit actions and click **Next**.
+4. Choose which rules will block or audit actions and select **Next**.
-5. Review the settings and click **Next** to create the policy.
+5. Review the settings and select **Next** to create the policy.
-6. After the policy is created, click **Close**.
+6. After the policy is created, **Close**.
## Group Policy
> [!WARNING]
> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+ Select **Show...** and enter the rule ID in the **Value name** column and your chosen state in the **Value** column as follows:
- Disable = 0
- Block (enable ASR rule) = 1
@@ -137,7 +138,7 @@ Example:
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
> [!WARNING]
> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
@@ -145,9 +146,9 @@ Example:
## PowerShell
> [!WARNING]
-> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
+> If you manage your computers and devices with Intune, Configuration Manager, or another enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. To allow users to define the value using PowerShell, use the "User Defined" option for the rule in the management platform.
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
@@ -200,4 +201,3 @@ Example:
- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
- [Attack surface reduction FAQ](attack-surface-reduction.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 4fa6b49fc9..2986e7ecf0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -1,9 +1,8 @@
---
-title: Turn on the protected folders feature in Windows 10
+title: Enable controlled folder access
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
description: Learn how to protect your important files by enabling Controlled folder access
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,13 +11,15 @@ ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/13/2019
ms.reviewer:
manager: dansimp
---
# Enable controlled folder access
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -29,7 +30,7 @@ You can enable controlled folder access by using any of these methods:
* [Windows Security app](#windows-security-app)
* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
@@ -45,71 +46,70 @@ For more information about disabling local list merging, see [Prevent or allow u
## Windows Security app
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar. You can also search the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
3. Set the switch for **Controlled folder access** to **On**.
> [!NOTE]
> If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
> If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
-
> If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-2. Click **Device configuration** > **Profiles** > **Create profile**.
+2. Go to **Device configuration** > **Profiles** > **Create profile**.
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. 
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
+4. Go to **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
-5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. 
+5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection. Select **Add**. 
> [!NOTE]
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-6. Click **OK** to save each open blade and click **Create**.
+6. Select **OK** to save each open blade and **Create**.
-7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+7. Select the profile **Assignments**, assign to **All Users & All Devices**, and **Save**.
-## MDM
+## Mobile Device Management (MDM)
Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Microsoft Endpoint Configuration Manager
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-2. Click **Home** > **Create Exploit Guard Policy**.
+2. Select **Home** > **Create Exploit Guard Policy**.
-3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
+3. Enter a name and a description, select **Controlled folder access**, and select **Next**.
-4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
+4. Choose whether block or audit changes, allow other apps, or add other folders, and select **Next**.
> [!NOTE]
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-5. Review the settings and click **Next** to create the policy.
+5. Review the settings and select **Next** to create the policy.
-6. After the policy is created, click **Close**.
+6. After the policy is created, **Close**.
## Group Policy
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
- * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
+ * **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
+ * **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
+ * **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
* **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
- * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders will not be recorded.
+ * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
@@ -118,7 +118,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
## PowerShell
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
@@ -128,9 +128,9 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`.
-Use `Disabled` to turn the feature off.
+Use `Disabled` to turn off the feature.
-## Related topics
+## See also
* [Protect important folders with controlled folder access](controlled-folders.md)
* [Customize controlled folder access](customize-controlled-folders.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 2251cef5dc..5707cf67b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -3,22 +3,22 @@ title: Turn on exploit protection to help mitigate against attacks
keywords: exploit, mitigation, attacks, vulnerability
description: Learn how to enable exploit protection in Windows 10. Exploit protection helps protect your device against malware.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.date: 01/08/2020
ms.reviewer:
manager: dansimp
---
# Enable exploit protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -245,7 +245,6 @@ See the [Windows Security](../windows-defender-security-center/windows-defender-
## Related topics
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index 298ace459d..a6090f9ae7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -1,38 +1,39 @@
---
-title: Turn on network protection
-description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs
+title: Turn on network protection
+description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: levinec
ms.author: ellevin
ms.reviewer:
-audience: ITPro
manager: dansimp
---
-# Turning on network protection
+# Turn on network protection
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
+[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it.
+
+[Learn more about network filtering configuration options](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
## Check if network protection is enabled
-You can see if network protection has been enabled on a local device by using Registry editor.
+Check if network protection has been enabled on a local device by using Registry editor.
1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
1. Choose **HKEY_LOCAL_MACHINE** from the side menu
-1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** **Windows Defender** > **Policy Manager**
+1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows Defender** > **Policy Manager**
1. Select **EnableNetworkProtection** to see the current state of network protection on the device
* 0, or **Off**
@@ -41,87 +42,79 @@ You can see if network protection has been enabled on a local device by using Re
## Enable network protection
-You can enable network protection by using any of these methods:
+Enable network protection by using any of these methods:
* [PowerShell](#powershell)
-* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
+* [Microsoft Endpoint Manager / Intune](#microsoft-endpoint-manager-formerly-intune)
* [Group Policy](#group-policy)
### PowerShell
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
-You can enable the feature in audit mode using the following cmdlet:
+3. Optional: Enable the feature in audit mode using the following cmdlet:
-```PowerShell
-Set-MpPreference -EnableNetworkProtection AuditMode
-```
+ ```PowerShell
+ Set-MpPreference -EnableNetworkProtection AuditMode
+ ```
-Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
+ Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature.
-### Intune
-
-1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
- 
-1. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
-
-### MDM
+### Mobile device management (MDM)
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
-## Microsoft Endpoint Configuration Manager
+### Microsoft Endpoint Manager (formerly Intune)
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Network protection**, and click **Next**.
-1. Choose whether to block or audit access to suspicious domains and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. Sign into the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com)
+
+2. Create or edit an [endpoint protection configuration profile](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure)
+
+3. Under "Configuration Settings" in the profile flow, go to **Microsoft Defender Exploit Guard** > **Network filtering** > **Network protection** > **Enable** or **Audit only**
### Group Policy
-You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
+Use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
-1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
+1. On a standalone computer, go to **Start** and then type and select **Edit group policy**.
*-Or-*
- On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+ On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
-4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
- * **Block** - Users will not be able to access malicious IP addresses and domains
- * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+> [!NOTE]
+> On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus."
+
+4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
+ * **Block** - Users can't access malicious IP addresses and domains
+ * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains
+ * **Audit Mode** - If a user visits a malicious IP address or domain, an event won't be recorded in the Windows event log. However, the user won't be blocked from visiting the address.
> [!IMPORTANT]
> To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
-You can confirm network protection is enabled on a local computer by using Registry editor:
+Confirm network protection is enabled on a local computer by using Registry editor:
+
+1. Select **Start** and type **regedit** to open **Registry Editor**.
-1. Click **Start** and type **regedit** to open **Registry Editor**.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
-3. Click **EnableNetworkProtection** and confirm the value:
+
+3. Select **EnableNetworkProtection** and confirm the value:
* 0=Off
* 1=On
* 2=Audit
-## Related topics
+## See also
* [Network protection](network-protection.md)
* [Evaluate network protection](evaluate-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
deleted file mode 100644
index 76c04110e7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Enable Secure Score in Microsoft Defender ATP
-description: Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard.
-keywords: enable secure score, baseline, calculation, analytics, score, secure score dashboard, dashboard
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Enable Secure Score security controls
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-Set the baselines for calculating the score of security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
-
- >[!NOTE]
- >Changes might take up to a few hours to reflect on the dashboard.
-
-1. In the navigation pane, select **Settings** > **Secure Score**.
-
-2. Select the security control, then toggle the setting between **On** and **Off**.
-
-3. Click **Save preferences**.
-
-## Related topics
-- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [Update data retention settings for Microsoft Defender ATP](data-retention-settings.md)
-- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
-- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Configure advanced features in Microsoft Defender ATP](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index f827607d8a..8799a37ea2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -19,6 +19,9 @@ ms.topic: article
# Enable SIEM integration in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -33,7 +36,7 @@ Enable security information and event management (SIEM) integration so you can p
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Prerequisites
-- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
+- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: Security Administrator and either Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
## Enabling SIEM integration
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 1d8f56f5e3..5408508e47 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Enable Microsoft Defender ATP Insider Device
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
>[!IMPORTANT]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index bbcbd77dcc..35dc0c89f1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Evaluate Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
@@ -37,7 +40,7 @@ These capabilities help prevent attacks and exploitations from infecting your or
- [Evaluate application guard](../microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-## Evaluate next generation protection
+## Evaluate next-generation protection
Next gen protections help detect and block the latest threats.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 980238995f..1c8621e5f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -1,44 +1,43 @@
---
-title: Use a demo to see how ASR rules can help protect your devices
-description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
+title: Evaluate attack surface reduction rules
+description: See how attack surface reduction would block and prevent attacks with the custom demo tool.
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
---
# Evaluate attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization.
+Learn how to evaluate attack surface reduction rules by enabling audit mode to test the feature directly in your organization.
> [!TIP]
-> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
-You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules.
-
-You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
+Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use.
To enable all attack surface reduction rules in audit mode, use the following PowerShell cmdlet:
@@ -49,13 +48,13 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
> [!TIP]
> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
+You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. Learn more in the main [Attack surface reduction rules](attack-surface-reduction.md) article.
## Review attack surface reduction events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
- Event ID | Description
+Event ID | Description
-|-
5007 | Event when settings are changed
1121 | Event when an attack surface reduction rule fires in block mode
@@ -65,9 +64,9 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.
-See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
+See [Customize attack surface reduction rules](customize-attack-surface-reduction.md) for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
-## Related topics
+## See also
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index ae0a15fe7f..da54fddecf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -1,42 +1,40 @@
---
-title: See how controlled folder access can help protect files from being changed by malicious apps
-description: Use a custom tool to see how Controlled folder access works in Windows 10.
+title: Evaluate controlled folder access
+description: See how controlled folder access can help protect files from being changed by malicious apps.
keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
---
# Evaluate controlled folder access
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
-It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+It is especially useful in helping protect against [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that attempts to encrypt your files and hold them hostage.
-This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
+This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
> [!TIP]
-> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
-You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
-
-You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+Enable the controlled folder access in audit mode to see a record of what *would* have happened if it was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
To enable audit mode, use the following PowerShell cmdlet:
@@ -46,7 +44,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
> [!TIP]
> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
-You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
+You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
@@ -65,9 +63,9 @@ Event ID | Description
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM configuration service providers (CSPs).
-## Related topics
+## See also
* [Protect important folders with controlled folder access](controlled-folders.md)
* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index d0ad0448da..0b95bca029 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -3,7 +3,6 @@ title: See how exploit protection works in a demo
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,18 +11,21 @@ ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
-ms.date: 10/21/2019
+ms.date: 08/28/2020
ms.reviewer:
manager: dansimp
---
# Evaluate exploit protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](emet-exploit-protection.md) are included in exploit protection.
+[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur.
@@ -73,12 +75,12 @@ Where:
|Mitigation | Audit mode cmdlet |
|---|---|
- |Arbitrary code guard (ACG) | AuditDynamicCode |
- |Block low integrity images | AuditImageLoad
- |Block untrusted fonts | AuditFont, FontAuditOnly |
- |Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
- |Disable Win32k system calls | AuditSystemCall |
- |Do not allow child processes | AuditChildProcess |
+ |Arbitrary code guard (ACG) | `AuditDynamicCode` |
+ |Block low integrity images | `AuditImageLoad`
+ |Block untrusted fonts | `AuditFont`, `FontAuditOnly` |
+ |Code integrity guard | `AuditMicrosoftSigned`, `AuditStoreSigned` |
+ |Disable Win32k system calls | `AuditSystemCall` |
+ |Do not allow child processes | `AuditChildProcess` |
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
@@ -101,13 +103,9 @@ To review which apps would have been blocked, open Event Viewer and filter for t
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
-## Related topics
+## See also
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
-* [Enable exploit protection](enable-exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
-* [Enable network protection](enable-network-protection.md)
-* [Enable controlled folder access](enable-controlled-folders.md)
-* [Enable attack surface reduction](enable-attack-surface-reduction.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
index 6e3840831e..17edc7d5e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
@@ -1,42 +1,40 @@
---
-title: Conduct a demo to see how network protection works
-description: Quickly see how Network protection works by performing common scenarios that it protects against
+title: Evaluate network protection
+description: See how network protection works by testing common scenarios that it protects against.
keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 05/10/2019
ms.reviewer:
manager: dansimp
---
# Evaluate network protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
+This article helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
> [!TIP]
> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
## Enable network protection in audit mode
-You can enable network protection in audit mode to see which IP addresses and domains would have been blocked if it was enabled.
+Enable network protection in audit mode to see which IP addresses and domains would have been blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur.
-You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur.
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
@@ -63,7 +61,7 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
|1125 | Windows Defender (Operational) | Event when a network connection is audited |
|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
-## Related topics
+## See also
* [Network protection](network-protection.md)
* [Enable network protection](enable-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
index dd21e36602..2f57d47778 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
@@ -19,6 +19,9 @@ ms.topic: article
---
# Microsoft Defender ATP evaluation lab
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 7f19406d2e..54be37811e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -21,6 +21,9 @@ ms.date: 05/21/2018
# Review events and errors using Event Viewer
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Event Viewer
@@ -108,15 +111,15 @@ See Onboard Windows 10 devices.
9
Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable.
-
During onboarding: The device did not onboard correctly and will not be reporting to the portal.
During offboarding: Failed to change the service start type. The offboarding process continues.
+
During onboarding: The device did not onboard correctly and will not be reporting to the portal.
During offboarding: Failed to change the service start type. The offboarding process continues.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See Onboard Windows 10 devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
index 2fe08915a1..926fa6beef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
@@ -1,42 +1,39 @@
---
-ms.reviewer:
-title: Import custom views to see attack surface reduction events
-description: Use Windows Event Viewer to import individual views for each of the features.
+title: View attack surface reduction events
+description: Import custom views to see attack surface reduction events.
keywords: event view, exploit guard, audit, review, events
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
-ms.date: 04/16/2018
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 03/26/2019
+ms.reviewer:
manager: dansimp
---
# View attack surface reduction events
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
+Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
-Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
+Reviewing events is handy when you're evaluating the features. You can enable audit mode for features or settings, and then review what would have happened if they were fully enabled.
-This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
+This article lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
+Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
## Use custom views to review attack surface reduction capabilities
-You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
-
-The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
+Create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. The easiest way is to import a custom view as an XML file. You can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the feature.
@@ -48,33 +45,33 @@ You can also manually navigate to the event area that corresponds to the feature
- Attack surface reduction events custom view: *asr-events.xml*
- Network/ protection events custom view: *np-events.xml*
-1. Type **event viewer** in the Start menu and open **Event Viewer**.
+2. Type **event viewer** in the Start menu and open **Event Viewer**.
-1. Click **Action** > **Import Custom View...**
+3. Select **Action** > **Import Custom View...**
-1. Navigate to where you extracted XML file for the custom view you want and select it.
+4. Navigate to where you extracted XML file for the custom view you want and select it.
-1. Click **Open**.
+5. Select **Open**.
-1. This will create a custom view that filters to only show the events related to that feature.
+6. It will create a custom view that filters to only show the events related to that feature.
### Copy the XML directly
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
-1. On the left panel, under **Actions**, click **Create Custom View...**
+2. On the left panel, under **Actions**, select **Create Custom View...**
-1. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
+3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**.
-1. Paste the XML code for the feature you want to filter events from into the XML section.
+4. Paste the XML code for the feature you want to filter events from into the XML section.
-1. Click **OK**. Specify a name for your filter.
+5. Select **OK**. Specify a name for your filter.
-1. This will create a custom view that filters to only show the events related to that feature.
+6. It will create a custom view that filters to only show the events related to that feature.
### XML for attack surface reduction rule events
@@ -131,13 +128,13 @@ You can also manually navigate to the event area that corresponds to the feature
## List of attack surface reduction events
-All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
+All attack surface reduction events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:
-1. Open the **Start** menu and type **event viewer**, and then click on the **Event Viewer** result.
+1. Open the **Start** menu and type **event viewer**, and then select the **Event Viewer** result.
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
-3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
+3. Double-click on the sub item to see events. Scroll through the events to find the one you're looking.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
new file mode 100644
index 0000000000..5cb1174b0a
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
@@ -0,0 +1,723 @@
+---
+title: Exploit Protection Reference
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Details on how the Exploit Protection feature works in Windows 10
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: ITPro
+author: appcompatguy
+ms.author: cjacks
+ms.date: 07/20/2020
+ms.reviewer:
+manager: saudm
+ms.custom: asr
+---
+
+# Exploit Protection Reference
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Exploit Protection provides advanced protections for applications which the IT Pro can apply after the developer has compiled and distributed the software.
+
+This article helps you understand how Exploit Protection works, both at the policy level and at the individual mitigation level, to help you successfully build and apply Exploit Protection policies.
+
+## How mitigations are applied
+
+Exploit Protection mitigations are applied per application.
+
+Mitigations are configured via a registry entry for each program that you configure protections for. These settings are stored in the **MitigationOptions** registry entry for each program (**HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ *ImageFileName* \ MitigationOptions**). They take effect when you restart the program and remain effective until you change them and restart the program again.
+
+> [!IMPORTANT]
+> Image File Execution Options only allows you to specify a file name or path, and not a version number, architecture, or any other differentiator. Be careful to target mitigations to apps which have unique names or paths, applying them only on devices where you have tested that version and that architecture of the application.
+
+If you configure Exploit Protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you.
+
+When the policy distributing the XML file is no longer enforced, settings deployed by this XML configuration file will not be automatically removed. To remove Exploit Protection settings, export the XML configuration from a clean Windows 10 device, and deploy this new XML file. Alternately, Microsoft provides an XML file as part of the Windows Security Baselines for resetting Exploit Protection settings.
+
+To reset Exploit Protection settings using PowerShell, you could use the following command:
+
+```powershell
+Set-ProcessMitigation -PolicyFilePath EP-reset.xml
+```
+Following is the EP-reset.xml distributed with the Windows Security Baselines:
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Mitigation Reference
+
+The below sections detail the protections provided by each Exploit Protection mitigation, the compatibility considerations for the mitigation, and the configuration options available.
+
+## Arbitrary code guard
+
+### Description
+
+Arbitrary Code Guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code.
+
+Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED).
+
+By preventing the *execute* flag from being set, the Data Execution Prevention feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code.
+
+### Compatibility considerations
+
+Arbitrary Code Guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern browsers, for example, will compile JavaScript into native code in order to optimize performance. In order to support this mitigation, they will need to be rearchitected to move the JIT compilation outside of the protected process. Other applications whose design dynamically generates code from scripts or other intermediate languages will be similarly incompatible with this mitigation.
+
+### Configuration options
+
+**Allow thread opt-out** - You can configure the mitigation to allow an individual thread to opt-out of this protection. The developer must have written the application with awareness of this mitigation, and have called the [**SetThreadInformation**](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadinformation) API with the *ThreadInformation* parameter set to **ThreadDynamicCodePolicy** in order to be allowed to execute dynamic code on this thread.
+
+**Audit only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Block low integrity images
+
+### Description
+
+Block low integrity images prevents the application from loading files which are untrusted, typically because they have been downloaded from the internet from a sandboxed browser.
+
+This mitigation will block image loads if the image has an Access Control Entry (ACE) which grants access to Low IL processes and which does not have a trust label ACE. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a low integrity image, it will trigger a STATUS_ACCESS_DENIED error. For details on how integrity levels work, see [Mandatory Integrity Control](https://docs.microsoft.com/windows/win32/secauthz/mandatory-integrity-control).
+
+### Compatibility considerations
+
+Block low integrity images will prevent the application from loading files which were downloaded from the internet. If your application workflow requires loading images which are downloaded, you will want to ensure that they are downloaded from a higher-trust process, or are explicitly relabeled in order to apply this mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Block remote images
+
+### Description
+
+Block remote images will prevent the application from loading files which are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory which are on an external device controlled by the attacker.
+
+This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error.
+
+### Compatibility considerations
+
+Block remote images will prevent the application from loading images from remote devices. If your application loads files or plug-ins from remote devices, then it will not be compatible with this mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Block untrusted fonts
+
+### Description
+
+Block untrusted fonts mitigates the risk of a flaw in font parsing leading to the attacker being able to run code on the device. Only fonts which are installed into the windows\fonts directory will be loaded for processing by GDI.
+
+This mitigation is implemented within GDI, which validates the location of the file. If the file is not in the system fonts directory, the font will not be loaded for parsing and that call will fail.
+
+Note that this mitigation is in addition to the built-in mitigation provided in Windows 10 1607 and later, which moves font parsing out of the kernel and into a user-mode app container. Any exploit based on font parsing, as a result, happens in a sandboxed and isolated context, which reduces the risk significantly. For details on this mitigation, see the blog [Hardening Windows 10 with zero-day exploit mitigations](https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/).
+
+### Compatibility considerations
+
+The most common use of fonts outside of the system fonts directory is with [web fonts](https://docs.microsoft.com/typography/fonts/font-faq#web). Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and are not impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the new Microsoft Edge) can be impacted, particularly with applications such as Office 365 which use font glyphs to display UI.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Code integrity guard
+
+### Description
+
+Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.
+
+This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary which is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process.
+
+### Compatibility considerations
+
+This mitigation specifically blocks any binary which is not signed by Microsoft. As such, it will be incompatible with most third party software, unless that software is distributed by (and digitally signed by) the Microsoft Store, and the option to allow loading of images signed by the Microsoft Store is selected.
+
+### Configuration options
+
+**Also allow loading of images signed by Microsoft Store** - Applications which are distributed by the Microsoft Store will be digitally signed by the Microsoft Store, and adding this configuration will allow binaries which have gone through the store certification process to be loaded by the application.
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Control flow guard (CFG)
+
+### Description
+
+Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program).
+
+This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications which are compiled with CFG support can benefit from this mitigation.
+
+The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation.
+
+### Compatibility considerations
+
+Since applications must be compiled to support CFG, they implicitly declare their compatibility with it. Most applications, therefore, should work with this mitigation enabled. Because these checks are compiled into the binary, the configuration you can apply is merely to disable checks within the Windows kernel. In other words, the mitigation is on by default, but you can configure the Windows kernel to always return "yes" if you later determine that there is a compatibility issue that the application developer did not discover in their testing, which should be rare.
+
+### Configuration options
+
+**Use strict CFG** - In strict mode, all binaries loaded into the process must be compiled for Control Flow Guard (or have no executable code in them - such as resource dlls) in order to be loaded.
+
+> [!Note]
+> **Control flow guard** has no audit mode. Binaries are compiled with this mitigation enabled.
+
+## Data Execution Prevention (DEP)
+
+### Description
+
+Data Execution Prevention (DEP) prevents memory which was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.
+
+If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash.
+
+### Compatibility considerations
+
+All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is generally assumed.
+
+All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some very old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (e.g. JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code.
+
+### Configuration options
+
+**Enable ATL Thunk emulation** - This configuration option disables ATL Thunk emulation. ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In order to reduce binary size, it would use a technique called thunking. Thunking is typically thought of for interacting between 32-bit and 16-bit applications, but there are no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL will store machine code in memory which is not word-aligned (creating a smaller binary), and then invoke that code directly. ATL components compiled with Visual Studio 7.1 or earlier (Visual Studio 2003) do not allocate this memory as executable - thunk emulation resolves that compatibility issue. Applications which have a binary extension model (such as Internet Explorer 11) will often need to have ATL Thunk emulation enabled.
+
+## Disable extension points
+
+### Description
+
+This mitigation disables various extension points for an application, which might be used to establish persistence or elevate privileges of malicious content.
+
+This includes:
+
+- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Note that, beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/windows/win32/dlls/secure-boot-and-appinit-dlls).
+- **Legacy IMEs** - An Input Method Editor (IME) allows a user to type text in a language that has more characters than can be represented on a keyboard. Third parties are able to create IMEs. A malicious IME might obtain credentials or other sensitive information from this input capture. Some IMEs, referred to as Legacy IMEs, will only work on Windows Desktop apps, and not UWP apps. This mitigation will also prevent this legacy IME from loading into the specified Windows Desktop app.
+- **Windows Event Hooks** - An application can call the [SetWinEventHook API](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-setwineventhook) to register interest in an event taking place. A DLL is specified and can be injected into the process. This mitigation forces the hook to be posted to the registering process rather than running in-process through an injected DLL.
+
+### Compatibility considerations
+
+Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using 3rd party Legacy IMEs which will not work with the protected application.
+
+### Configuration options
+
+There are no configuration options for this mitigation.
+
+> [!Note]
+> **Disable extension points** has no audit mode.
+
+## Disable Win32k system calls
+
+### Description
+
+Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode component, it is frequently targeted as an escape vector for applications that are sandboxed. This mitigation prevents calls into win32k.sys by blocking a thread from converting itself into a GUI thread, which is then given access to invoke Win32k functions. A thread is non-GUI when created, but converted on first call to win32k.sys, or through an API call to [IsGuiThread](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-isguithread).
+
+### Compatibility considerations
+
+This mitigation is designed for processes which are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application which displays a GUI using a single process will be impacted by this mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Do not allow child processes
+
+### Description
+
+This mitigation prevents an application from creating new child applications. A common technique used by adversaries is to initiate a trusted process on the device with malicious input (a "living off the land" attack), which often requires launching another application on the device. If there are no legitimate reasons why an application would launch a child process, this mitigation mitigates that potential attack vector. The mitigation is applied by setting a property on the process token, which blocks creating a token for the child process with the error message STATUS_CHILD_PROCESS_BLOCKED.
+
+### Compatibility considerations
+
+If your application launches child applications for any reason, such as supporting hyperlinks which launch a browser or an external browser, or which launch other utilities on the computer, this functionality will be broken with this mitigation applied.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Export address filtering
+
+### Description
+
+Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects 3 commonly attacked modules:
+
+- ntdll.dll
+- kernelbase.dll
+- kernel32.dll
+
+The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.
+
+### Compatibility considerations
+
+This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.
+
+### Configuration options
+
+**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules:
+
+- mshtml.dll
+- flash*.ocx
+- jscript*.ocx
+- vbscript.dll
+- vgx.dll
+- mozjs.dll
+- xul.dll
+- acrord32.dll
+- acrofx32.dll
+- acroform.api
+
+Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Force randomization for images (Mandatory ASLR)
+
+### Description
+
+Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose.
+
+Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019) linker option, and this mitigation has the same effect.
+
+When the memory manager is mapping in the image into the process, Mandatory ASLR will forcibly rebase DLLs and EXEs that have not opted in to ASLR. Note, however, that this rebasing has no entropy, and can therefore be placed at a predictable location in memory. For rebased and randomized location of binaries, this mitigation should be paired with [Randomize memory allocations (Bottom-up ASLR)](#randomize-memory-allocations-bottom-up-aslr).
+
+### Compatibility considerations
+
+This compatibility impact of ASLR is typically constrained to older applications which were built using compilers which made assumptions about the base address of a binary file or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory.
+
+### Configuration options
+
+**Do not allow stripped images** - This option blocks the loading of images that have had relocation information stripped. The Windows PE file format contains absolute addresses, and the compiler also generates a [base relocation table](https://docs.microsoft.com/windows/win32/debug/pe-format#the-reloc-section-image-only) which the loader can use to find all relative memory references and their offset, so they can be updated if the binary does not load at its preferred base address. Some older applications strip out this information in production builds, and therefore these binaries cannot be rebased. This mitigation blocks such binaries from being loaded (instead of allowing them to load at their preferred base address).
+
+> [!Note]
+> **Force randomization for images (Mandatory ASLR)** has no audit mode.
+
+## Import address filtering (IAF)
+
+### Description
+
+The Import address filtering (IAF) mitigation helps mitigate the risk of an adversary changing the control flow of an application by modifying the import address table (IAT) to redirect to arbitrary code of the attacker's choice when that function is called. An attacker could use this approach to hijack control, or to intercept, inspect, and potentially block calls to sensitive APIs.
+
+The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to them. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.
+
+This mitigation protects the following Windows APIs:
+
+- GetProcAddress
+- GetProcAddressForCaller
+- LoadLibraryA
+- LoadLibraryExA
+- LoadLibraryW
+- LoadLibraryExW
+- LdrGetProcedureAddress
+- LdrGetProcedureAddressEx
+- LdrGetProcedureAddressForCaller
+- LdrLoadDll
+- VirtualProtect
+- VirtualProtectEx
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- NtProtectVirtualMemory
+- CreateProcessA
+- CreateProcessW
+- WinExec
+- CreateProcessAsUserA
+- CreateProcessAsUserW
+- GetModuleHandleA
+- GetModuleHandleW
+- RtlDecodePointer
+- DecodePointer
+
+### Compatibility considerations
+
+Legitimate applications which perform API interception may be detected by this mitigation and cause some applications to crash. Examples include security software and application compatibility shims.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Randomize memory allocations (Bottom-up ASLR)
+
+### Description
+
+Randomize memory allocations (Bottom-up ASLR) adds entropy to relocations, so their location is randomized and therefore less predictable. This mitigation requires Mandatory ASLR to take effect.
+
+Note that the size of the 32-bit address space places practical constraints on the entropy that can be added, and therefore 64-bit applications make it significantly more difficult for an attacker to guess a location in memory.
+
+### Compatibility considerations
+
+Most applications which are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4GB), and thus will be incompatible with the high entropy option (which can be disabled).
+
+### Configuration options
+
+**Don't use high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1TB of variance) into the bottom-up allocation for 64-bit applications.
+
+> [!Note]
+> **Randomize memory allocations (Bottom-up ASLR)** has no audit mode.
+
+## Simulate execution (SimExec)
+
+### Description
+
+Simulate execution (SimExec) is a mitigation for 32-bit applications only which helps validate that calls to sensitive APIs will return to legitimate caller functions. It does this by intercepting calls into sensitive APIs, and then simulating the execution of those APIs by walking through the encoded assembly language instructions looking for the RET instruction, which should return to the caller. It then inspects that function and walks backwards in memory to find the preceding CALL instruction to compare if the two match and that the RET hasn't been intercepted.
+
+The APIs intercepted by this mitigation are:
+
+- LoadLibraryA
+- LoadLibraryW
+- LoadLibraryExA
+- LoadLibraryExW
+- LdrLoadDll
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- VirtualProtect
+- VirtualProtectEx
+- NtProtectVirtualMemory
+- HeapCreate
+- RtlCreateHeap
+- CreateProcessA
+- CreateProcessW
+- CreateProcessInternalA
+- CreateProcessInternalW
+- NtCreateUserProcess
+- NtCreateProcess
+- NtCreateProcessEx
+- CreateRemoteThread
+- CreateRemoteThreadEx
+- NtCreateThreadEx
+- WriteProcessMemory
+- NtWriteVirtualMemory
+- WinExec
+- CreateFileMappingA
+- CreateFileMappingW
+- CreateFileMappingNumaW
+- NtCreateSection
+- MapViewOfFile
+- MapViewOfFileEx
+- MapViewOfFileFromApp
+- LdrGetProcedureAddressForCaller
+
+If a ROP gadget is detected, the process is terminated.
+
+### Compatibility considerations
+
+Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation.
+
+This mitigation is incompatible with the Arbitrary Code Guard mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Validate API invocation (CallerCheck)
+
+### Description
+
+Validate API invocation (CallerCheck) is a mitigation for return oriented programming (ROP) techniques which validates that sensitive APIs were called from a valid caller. This mitigation inspects the passed return address, and then heuristically disassembles backwards to find a call above the return address to determine if the call target matches the parameter passed into the function.
+
+The APIs intercepted by this mitigation are:
+
+- LoadLibraryA
+- LoadLibraryW
+- LoadLibraryExA
+- LoadLibraryExW
+- LdrLoadDll
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- VirtualProtect
+- VirtualProtectEx
+- NtProtectVirtualMemory
+- HeapCreate
+- RtlCreateHeap
+- CreateProcessA
+- CreateProcessW
+- CreateProcessInternalA
+- CreateProcessInternalW
+- NtCreateUserProcess
+- NtCreateProcess
+- NtCreateProcessEx
+- CreateRemoteThread
+- CreateRemoteThreadEx
+- NtCreateThreadEx
+- WriteProcessMemory
+- NtWriteVirtualMemory
+- WinExec
+- CreateFileMappingA
+- CreateFileMappingW
+- CreateFileMappingNumaW
+- NtCreateSection
+- MapViewOfFile
+- MapViewOfFileEx
+- MapViewOfFileFromApp
+- LdrGetProcedureAddressForCaller
+
+If a ROP gadget is detected, the process is terminated.
+
+### Compatibility considerations
+
+Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation.
+
+This mitigation is incompatible with the Arbitrary Code Guard mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Validate exception chains (SEHOP)
+
+### Description
+
+Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured Exception Handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.
+
+This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that:
+
+- All exception chain records are within the stack boundaries
+- All exception records are aligned
+- No exception handler pointers are pointing to the stack
+- There are no backward pointers
+- The exception chain ends at a known final exception handler
+
+If these validations fail, then exception handling is aborted, and the exception will not be handled.
+
+### Compatibility considerations
+
+Compatibility issues with SEHOP are relatively rare. It's uncommon for an application to take a dependency on corrupting the exception chain. However, some applications are impacted by the subtle changes in timing, which may manifest as a race condition that reveals a latent multi-threading bug in the application.
+
+### Configuration options
+
+> [!Note]
+> **Validate exception chains (SEHOP)** has no audit mode.
+
+## Validate handle usage
+
+### Description
+
+*Validate handle usage* is a mitigation which helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).
+
+This mitigation is automatically applied to Windows Store applications.
+
+### Compatibility considerations
+
+Applications which were not accurately tracking handle references, and which were not wrapping these operations in exception handlers, will potentially be impacted by this mitigation.
+
+### Configuration options
+
+> [!Note]
+> **Validate handle usage** has no audit mode.
+
+## Validate heap integrity
+
+### Description
+
+The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include:
+
+- Preventing a HEAP handle from being freed
+- Performing additional validation on extended block headers for heap allocations
+- Verifying that heap allocations are not already flagged as in-use
+- Adding guard pages to large allocations, heap segments, and subsegments above a minimum size
+
+### Compatibility considerations
+
+This mitigation is already applied by default for 64-bit applications and for 32-bit applications targeting Windows Vista or later. Legacy applications from Windows XP or earlier are most at-risk, though compatibility issues are rare.
+
+### Configuration options
+
+> [!Note]
+> **Validate heap integrity** has no audit mode.
+
+## Validate image dependency integrity
+
+### Description
+
+The *validate image dependency* mitigation helps protect against attacks which attempt to substitute code for dlls which are statically linked by Windows binaries. The technique of DLL planting abuses the loader's search mechanism to inject malicious code, which can be used to get malicious code running in an elevated context. When the loader is loading a Windows signed binary, and then loads up any dlls that the binary depends on, these binaries will be verified to ensure that they are also digitally signed as a Windows binary. If they fail the signature check, the dll will not be loaded, and will throw an exception, returning a status of STATUS_INVALID_IMAGE_HASH.
+
+### Compatibility considerations
+
+Compatibility issues are uncommon. Applications which depend on replacing Windows binaries with local private versions will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
+
+## Validate stack integrity (StackPivot)
+
+### Description
+
+The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack which controls the flow of execution.
+
+This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.
+
+The APIs intercepted by this mitigation are:
+
+- LoadLibraryA
+- LoadLibraryW
+- LoadLibraryExA
+- LoadLibraryExW
+- LdrLoadDll
+- VirtualAlloc
+- VirtualAllocEx
+- NtAllocateVirtualMemory
+- VirtualProtect
+- VirtualProtectEx
+- NtProtectVirtualMemory
+- HeapCreate
+- RtlCreateHeap
+- CreateProcessA
+- CreateProcessW
+- CreateProcessInternalA
+- CreateProcessInternalW
+- NtCreateUserProcess
+- NtCreateProcess
+- NtCreateProcessEx
+- CreateRemoteThread
+- CreateRemoteThreadEx
+- NtCreateThreadEx
+- WriteProcessMemory
+- NtWriteVirtualMemory
+- WinExec
+- CreateFileMappingA
+- CreateFileMappingW
+- CreateFileMappingNumaW
+- NtCreateSection
+- MapViewOfFile
+- MapViewOfFileEx
+- MapViewOfFileFromApp
+- LdrGetProcedureAddressForCaller
+
+### Compatibility considerations
+
+Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.
+Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation.
+
+This mitigation is incompatible with the Arbitrary Code Guard mitigation.
+
+### Configuration options
+
+**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
index bab625f913..e4174dddea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -3,7 +3,6 @@ title: Apply mitigations to help prevent attacks through vulnerabilities
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Protect devices against exploits with Windows 10. Windows 10 has advanced exploit protection capabilities, building upon and improving the settings available in Enhanced Mitigation Experience Toolkit (EMET).
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -20,6 +19,9 @@ ms.custom: asr
# Protect devices from exploits
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -37,10 +39,10 @@ When a mitigation is encountered on the device, a notification will be displayed
You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.
-Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
+Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see [Import, export, and deploy exploit protection configurations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml).
> [!IMPORTANT]
-> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). Consider replacing EMET with exploit protection in Windows 10.
> [!WARNING]
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
@@ -62,34 +64,34 @@ DeviceEvents
You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
-Provider/source | Event ID | Description
--|-|-
-Security-Mitigations | 1 | ACG audit
-Security-Mitigations | 2 | ACG enforce
-Security-Mitigations | 3 | Do not allow child processes audit
-Security-Mitigations | 4 | Do not allow child processes block
-Security-Mitigations | 5 | Block low integrity images audit
-Security-Mitigations | 6 | Block low integrity images block
-Security-Mitigations | 7 | Block remote images audit
-Security-Mitigations | 8 | Block remote images block
-Security-Mitigations | 9 | Disable win32k system calls audit
-Security-Mitigations | 10 | Disable win32k system calls block
-Security-Mitigations | 11 | Code integrity guard audit
-Security-Mitigations | 12 | Code integrity guard block
-Security-Mitigations | 13 | EAF audit
-Security-Mitigations | 14 | EAF enforce
-Security-Mitigations | 15 | EAF+ audit
-Security-Mitigations | 16 | EAF+ enforce
-Security-Mitigations | 17 | IAF audit
-Security-Mitigations | 18 | IAF enforce
-Security-Mitigations | 19 | ROP StackPivot audit
-Security-Mitigations | 20 | ROP StackPivot enforce
-Security-Mitigations | 21 | ROP CallerCheck audit
-Security-Mitigations | 22 | ROP CallerCheck enforce
-Security-Mitigations | 23 | ROP SimExec audit
-Security-Mitigations | 24 | ROP SimExec enforce
-WER-Diagnostics | 5 | CFG Block
-Win32K | 260 | Untrusted Font
+|Provider/source | Event ID | Description|
+|---|---|---|
+|Security-Mitigations | 1 | ACG audit |
+|Security-Mitigations | 2 | ACG enforce |
+|Security-Mitigations | 3 | Do not allow child processes audit |
+|Security-Mitigations | 4 | Do not allow child processes block |
+|Security-Mitigations | 5 | Block low integrity images audit |
+|Security-Mitigations | 6 | Block low integrity images block |
+|Security-Mitigations | 7 | Block remote images audit |
+|Security-Mitigations | 8 | Block remote images block |
+|Security-Mitigations | 9 | Disable win32k system calls audit |
+|Security-Mitigations | 10 | Disable win32k system calls block |
+|Security-Mitigations | 11 | Code integrity guard audit |
+|Security-Mitigations | 12 | Code integrity guard block |
+|Security-Mitigations | 13 | EAF audit |
+|Security-Mitigations | 14 | EAF enforce |
+|Security-Mitigations | 15 | EAF+ audit |
+|Security-Mitigations | 16 | EAF+ enforce |
+|Security-Mitigations | 17 | IAF audit |
+|Security-Mitigations | 18 | IAF enforce |
+|Security-Mitigations | 19 | ROP StackPivot audit |
+|Security-Mitigations | 20 | ROP StackPivot enforce |
+|Security-Mitigations | 21 | ROP CallerCheck audit |
+|Security-Mitigations | 22 | ROP CallerCheck enforce |
+|Security-Mitigations | 23 | ROP SimExec audit |
+|Security-Mitigations | 24 | ROP SimExec enforce |
+|WER-Diagnostics | 5 | CFG Block |
+|Win32K | 260 | Untrusted Font |
## Mitigation comparison
@@ -97,38 +99,36 @@ The mitigations available in EMET are included natively in Windows 10 (starting
The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
-Mitigation | Available under Exploit protection | Available in EMET
--|-|-
-Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+|Mitigation | Available under exploit protection | Available in EMET |
+|---|---|---|
+|Arbitrary code guard (ACG) | yes | yes As "Memory Protection Check" |
+|Block remote images | yes | yes As "Load Library Check" |
+|Block untrusted fonts | yes | yes |
+|Data Execution Prevention (DEP) | yes | yes |
+|Export address filtering (EAF) | yes | yes |
+|Force randomization for images (Mandatory ASLR) | yes | yes |
+|NullPage Security Mitigation | yes Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
+|Randomize memory allocations (Bottom-Up ASLR) | yes | yes |
+|Simulate execution (SimExec) | yes | yes |
+|Validate API invocation (CallerCheck) | yes | yes |
+|Validate exception chains (SEHOP) | yes | yes |
+|Validate stack integrity (StackPivot) | yes | yes |
+|Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | yes |
+|Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
+|Block low integrity images | yes | no |
+|Code integrity guard | yes | no |
+|Disable extension points | yes | no |
+|Disable Win32k system calls | yes | no |
+|Do not allow child processes | yes | no |
+|Import address filtering (IAF) | yes | no |
+|Validate handle usage | yes | no |
+|Validate heap integrity | yes | no |
+|Validate image dependency integrity | yes | no |
> [!NOTE]
-> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
->
-> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-## Related articles
+## See also
- [Protect devices from exploits](exploit-protection.md)
- [Evaluate exploit protection](evaluate-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 8bdf15c60a..8f4d3dec0e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -19,6 +19,9 @@ ms.topic: article
# Use Microsoft Defender ATP APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
index 53f48b4a51..2b71b7c2cf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
@@ -19,6 +19,9 @@ ms.topic: article
# Partner access through Microsoft Defender ATP APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
index be3db97ab4..e4a7458f08 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create an app to access Microsoft Defender ATP without a user
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index f93889cb75..1ad142d2e4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -19,6 +19,9 @@ ms.date: 09/24/2018
---
# Microsoft Defender ATP APIs using PowerShell
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
index 535ec63d9c..d5115891d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
@@ -19,6 +19,9 @@ ms.topic: article
# Supported Microsoft Defender ATP APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 37e873ced5..1e2be5f01f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -1,7 +1,7 @@
---
title: OData queries with Microsoft Defender ATP
ms.reviewer:
-description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP
+description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP.
keywords: apis, supported apis, odata, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -19,6 +19,9 @@ ms.topic: article
# OData queries with Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
index 7f62a2a426..0d0ee850c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md
@@ -20,6 +20,9 @@ ms.collection:
# Feedback-loop blocking
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
index f0ccb1577e..d21ad49611 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
@@ -1,4 +1,4 @@
----
+---
title: Fetch alerts from MSSP customer tenant
description: Learn how to fetch alerts from a customer tenant
keywords: managed security service provider, mssp, configure, integration
@@ -19,6 +19,9 @@ ms.topic: article
# Fetch alerts from MSSP customer tenant
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -182,7 +185,7 @@ You'll need to have **Manage portal system settings** permission to allow the ap
You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
-- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
+- In the ArcSight configuration file / Splunk Authentication Properties file ? you will have to write your application key manually by settings the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
## Fetch alerts from MSSP customer's tenant using APIs
diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md
index 5ef6fc7ec4..2b27cae459 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/files.md
@@ -18,6 +18,9 @@ ms.topic: article
# File resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -75,4 +78,4 @@ determinationValue | String | Determination value.
"determinationType": "Pua",
"determinationValue": "PUA:Win32/FusionCore"
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
index 59c2006e13..d0690e63d2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
@@ -18,6 +18,9 @@ ms.topic: article
# Find device information by internal IP API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
index 9d7a2a71d0..e4a3b8ac99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
@@ -18,6 +18,9 @@ ms.topic: article
# Find devices by internal IP API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
index 737e32b036..9afb49c31b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
@@ -20,6 +20,9 @@ ms.date: 10/23/2017
# Fix unhealthy sensors in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
index e4ecad3ffa..d5ed580340 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
@@ -1,6 +1,6 @@
---
title: Get alert information by ID API
-description: Retrieve a Microsoft Defender ATP alert by its ID.
+description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert information by ID API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
index ac7cf2410a..6b256610ed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related domain information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
index 519afaa0e3..5ac0f2d01a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related files information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
index cf783ffeda..9b841e71af 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related IPs information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
index 2b030497a2..94132932d5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related machine information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
index 982e2a2585..4c54267d9a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
@@ -1,6 +1,6 @@
---
title: Get alert related user information
-description: Retrieves the user associated to a specific alert.
+description: Learn how to use the Get alert related user information API to retrieve the user related to a specific alert in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alert, information, related, user
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get alert related user information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index f13f6270fd..e0b7e0c358 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -1,6 +1,6 @@
---
title: List alerts API
-description: Retrieve a collection of recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts.
+description: Learn how to use the List alerts API to retrieve a collection of alerts in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# List alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
index 5f0bb3386d..c49e958dfb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@@ -1,108 +1,111 @@
----
-title: List all recommendations
-description: Retrieves a list of all security recommendations affecting the organization.
-keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List all recommendations
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all security recommendations affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-microsoft-_-windows_10",
- "productName": "windows_10",
- "recommendationName": "Update Windows 10",
- "weaknesses": 397,
- "vendor": "microsoft",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": true,
- "activeAlert": false,
- "associatedThreats": [
- "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
- "40c189d5-0330-4654-a816-e48c2b7f9c4b",
- "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
- "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
- "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
- ],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 7.674418604651163,
- "totalMachineCount": 37,
- "exposedMachinesCount": 7,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Windows 10"
- }
- ...
- ]
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
-
+---
+title: List all recommendations
+description: Retrieves a list of all security recommendations affecting the organization.
+keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List all recommendations
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all security recommendations affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-microsoft-_-windows_10",
+ "productName": "windows_10",
+ "recommendationName": "Update Windows 10",
+ "weaknesses": 397,
+ "vendor": "microsoft",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": true,
+ "activeAlert": false,
+ "associatedThreats": [
+ "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
+ "40c189d5-0330-4654-a816-e48c2b7f9c4b",
+ "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
+ "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
+ "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
+ ],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 7.674418604651163,
+ "totalMachineCount": 37,
+ "exposedMachinesCount": 7,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Windows 10"
+ }
+ ...
+ ]
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
index 3ec0c82630..f3be9540c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
@@ -18,6 +18,9 @@ ms.topic: article
# List vulnerabilities by machine and software
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
index 4114015c39..262c80a1bf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@@ -1,96 +1,99 @@
----
-title: Get all vulnerabilities
-description: Retrieves a list of all the vulnerabilities affecting the organization
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all the vulnerabilities affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
- "value": [
- {
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get all vulnerabilities
+description: Retrieves a list of all the vulnerabilities affecting the organization
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of all the vulnerabilities affecting the organization.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
+ "value": [
+ {
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
index 4207a4cc3b..d4dac32b7b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
@@ -1,6 +1,6 @@
---
title: Get CVE-KB map API
-description: Retrieves a map of CVE's to KB's.
+description: Learn how to use the Get CVE-KB map API to retrieve a map of CVE's to KB's and CVE details in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, cve, kb
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -20,6 +20,9 @@ ROBOTS: NOINDEX
# Get CVE-KB map API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
index 6eb1d7d80c..2c896a9943 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@@ -1,83 +1,86 @@
----
-title: Get Machine Secure score
-description: Retrieves the organizational device secure score.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get Machine Secure score
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational device secure score.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-```
-GET /api/configurationScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the with device secure score data in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/configurationScore
-```
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
- "time": "2019-12-03T09:15:58.1665846Z",
- "score": 340
-}
-```
-
-## Related topics
-- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
+---
+title: Get device secure score
+description: Retrieves the organizational device secure score.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get device secure score
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+
+```
+GET /api/configurationScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the device secure score data in the response body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/configurationScore
+```
+
+### Response
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
+ "time": "2019-12-03T09:15:58.1665846Z",
+ "score": 340
+}
+```
+
+## Related topics
+
+- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
index d93e999a34..10ff59d2ea 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -1,93 +1,97 @@
----
-title: Get discovered vulnerabilities
-description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get discovered vulnerabilities
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of discovered vulnerabilities related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the discovered vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-1348",
- "name": "CVE-2019-1348",
- "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 1,
- "publishedOn": "2019-12-13T00:00:00Z",
- "updatedOn": "2019-12-13T00:00:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get discovered vulnerabilities
+description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get discovered vulnerabilities
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Retrieves a collection of discovered vulnerabilities related to a given device ID.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+
+```
+GET /api/machines/{machineId}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK with the discovered vulnerability information in the body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
+```
+
+### Response
+
+Here is an example of the response.
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-1348",
+ "name": "CVE-2019-1348",
+ "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 1,
+ "publishedOn": "2019-12-13T00:00:00Z",
+ "updatedOn": "2019-12-13T00:00:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+}
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
index 0aa06444da..59c2587cda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
@@ -1,6 +1,6 @@
---
title: Get domain related alerts API
-description: Retrieves a collection of alerts related to a given domain address.
+description: Learn how to use the Get domain related alerts API to retrieve alerts related to a given domain address in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, domain, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get domain related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
index 6b4dee50f5..662f9724e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
@@ -1,6 +1,6 @@
---
title: Get domain related machines API
-description: Retrieves a collection of devices related to a given domain address.
+description: Learn how to use the Get domain related machines API to get machines that communicated to or from a domain in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, domain, related, devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get domain related machines API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
index 4cab7c52be..efb793f5cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
@@ -1,6 +1,6 @@
---
title: Get domain statistics API
-description: Retrieves the prevalence for the given domain.
+description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, domain, domain related devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get domain statistics API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
index 794272d101..77c92c030f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@@ -1,88 +1,90 @@
----
-title: Get exposure score
-description: Retrieves the organizational exposure score.
-keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get exposure score
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational exposure score.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-
-## HTTP request
-```
-GET /api/exposureScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the exposure data in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/exposureScore
-```
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
- "time": "2019-12-03T07:23:53.280499Z",
- "score": 33.491554051195706
-}
-
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
-
-
+---
+title: Get exposure score
+description: Retrieves the organizational exposure score.
+keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: levinec
+ms.author: ellevin
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get exposure score
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves the organizational exposure score.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
+Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+
+## HTTP request
+
+```
+GET /api/exposureScore
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+## Request body
+
+Empty
+
+## Response
+
+If successful, this method returns 200 OK, with the exposure data in the response body.
+
+## Example
+
+### Request
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/exposureScore
+```
+
+### Response
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
+ "time": "2019-12-03T07:23:53.280499Z",
+ "score": 33.491554051195706
+}
+
+```
+
+## Related topics
+
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
index db2c9f018f..db6f1f2f72 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
@@ -1,6 +1,6 @@
---
title: Get file information API
-description: Retrieves a file by identifier Sha1, Sha256, or MD5.
+description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get file information API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
index 5ea61a7554..7ccb81730f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
@@ -1,6 +1,6 @@
---
title: Get file related alerts API
-description: Retrieves a collection of alerts related to a given file hash.
+description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, file, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get file related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
index 480f952df9..09aef678f7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
@@ -1,6 +1,6 @@
---
title: Get file related machines API
-description: Retrieves a collection of devices related to a given file hash.
+description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get file related machines API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
index b6abc23c5f..9f480df6b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
@@ -1,6 +1,6 @@
---
title: Get file statistics API
-description: Retrieves the prevalence for the given file.
+description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, file, statistics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get file statistics API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
index 2521e0a16b..79f263d9b0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
@@ -1,89 +1,92 @@
----
-title: Get installed software
-description: Retrieves a collection of installed software related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get installed software
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of installed software related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the installed software information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
-"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
-"value": [
- {
-"id": "microsoft-_-internet_explorer",
-"name": "internet_explorer",
-"vendor": "microsoft",
-"weaknesses": 67,
-"publicExploit": true,
-"activeAlert": false,
-"exposedMachines": 42115,
-"impactScore": 46.2037163
- }
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: Get installed software
+description: Retrieves a collection of installed software related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get installed software
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of installed software related to a given device ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the installed software information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
+"value": [
+ {
+"id": "microsoft-_-internet_explorer",
+"name": "internet_explorer",
+"vendor": "microsoft",
+"weaknesses": 67,
+"publicExploit": true,
+"activeAlert": false,
+"exposedMachines": 42115,
+"impactScore": 46.2037163
+ }
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
index 03fc53560f..676eba4bd3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
@@ -18,6 +18,9 @@ ms.topic: article
# List Investigations API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
index 933c2cde60..99fd6a043d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get Investigation API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
index a3093915d5..c8a2ab1f94 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get IP related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -76,4 +79,4 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index 5d0c64e02c..ffd9485045 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get IP statistics API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
index f922b6a35e..d41005cb74 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
@@ -20,6 +20,9 @@ ROBOTS: NOINDEX
# Get KB collection API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -78,4 +81,4 @@ Content-type: application/json
},
…
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index 91b44caf50..3cc89cd33b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -1,6 +1,6 @@
---
title: Get machine by ID API
-description: Retrieves a device entity by ID.
+description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get machine by ID API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
index 10f886e0d1..92b5fae137 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+author: levinec
+ms.author: ellevin
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -16,7 +16,10 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# List exposure score by device group
+# List exposure score by device group
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -27,6 +30,7 @@ ms.topic: article
Retrieves a collection of alerts related to a given domain address.
## Permissions
+
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
@@ -35,6 +39,7 @@ Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
## HTTP request
+
```
GET /api/exposureScore/ByMachineGroups
```
@@ -46,15 +51,16 @@ GET /api/exposureScore/ByMachineGroups
| Authorization | String | Bearer {token}.**Required**.
## Request body
+
Empty
## Response
-If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
+If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
## Example
-**Request**
+### Request
Here is an example of the request.
@@ -62,7 +68,7 @@ Here is an example of the request.
GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
```
-**Response**
+### Response
Here is an example of the response.
@@ -87,5 +93,6 @@ Here is an example of the response.
```
## Related topics
+
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index fc56069b04..e673d96cf0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -1,6 +1,6 @@
---
title: Get machine log on users API
-description: Retrieve a collection of logged on users on a specific device using Microsoft Defender ATP APIs.
+description: Learn how to use the Get machine log on users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, device, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get machine log on users API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
index e8fb105671..f47cdd76d2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
@@ -1,6 +1,6 @@
---
title: Get machine related alerts API
-description: Retrieves a collection of alerts related to a given device ID.
+description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, devices, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get machine related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
index dbcaf5b6fb..b7a20c7b89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
@@ -1,6 +1,6 @@
---
title: Get MachineAction object API
-description: Use this API to create calls related to get machineaction object
+description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, machineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get machineAction API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
index 08f5fff7d0..5569002ec3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
@@ -1,6 +1,6 @@
---
title: List machineActions API
-description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection.
+description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, machineaction collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# List MachineActions API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
index 8dca334083..ff88b78222 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
@@ -1,6 +1,6 @@
---
title: Get RBAC machine groups collection API
-description: Retrieves a collection of RBAC device groups.
+description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, RBAC, group
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -20,6 +20,9 @@ ms.date: 10/07/2018
# Get KB collection API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -78,4 +81,4 @@ Content-type: application/json
"ungrouped":true},
…
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
index ebf471edee..d3c3f50dca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -1,93 +1,96 @@
----
-title: List devices by software
-description: Retrieve a list of devices that has this software installed.
-keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by software
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of device references that has this software installed.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/machineReferences
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK and a list of devices with the software installed in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
- "computerDnsName": "dave_desktop",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
- "computerDnsName": "jane_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List devices by software
+description: Retrieve a list of devices that has this software installed.
+keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by software
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of device references that has this software installed.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/machineReferences
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK and a list of devices with the software installed in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
+ "computerDnsName": "dave_desktop",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ },
+ {
+ "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
+ "computerDnsName": "jane_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
index fddc82d5dd..02ea057f59 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -1,92 +1,95 @@
----
-title: List devices by vulnerability
-description: Retrieves a list of devices affected by a vulnerability.
-keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by vulnerability
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices affected by a vulnerability.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "235a2e6278c63fcf85bab9c370396972c58843de",
- "computerDnsName": "h1mkn_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "afb3f807d1a185ac66668f493af028385bfca184",
- "computerDnsName": "chat_Desk ",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
- }
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: List devices by vulnerability
+description: Retrieves a list of devices affected by a vulnerability.
+keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by vulnerability
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of devices affected by a vulnerability.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "235a2e6278c63fcf85bab9c370396972c58843de",
+ "computerDnsName": "h1mkn_PC",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ },
+ {
+ "id": "afb3f807d1a185ac66668f493af028385bfca184",
+ "computerDnsName": "chat_Desk ",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+ }
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index 93303b75fa..6f6c6177e9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -1,6 +1,6 @@
---
title: List machines API
-description: Retrieves a collection of recently seen devices.
+description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud.
keywords: apis, graph api, supported apis, get, devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# List machines API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
index 5fed8ccf11..0da42db679 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
@@ -1,6 +1,6 @@
---
title: Get machines security states collection API
-description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP.
+description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, device, security, state
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -19,6 +19,9 @@ ms.topic: article
# Get Machines security states collection API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -84,4 +87,4 @@ Content-type: application/json
…
]
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
index 3b41ca66ef..510c7516c2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -1,6 +1,6 @@
---
title: Get missing KBs by device ID
-description: Retrieves missing KBs by device Id
+description: Retrieves missing security updates by device ID
keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,11 +18,14 @@ ms.topic: article
# Get missing KBs by device ID
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Retrieves missing KBs by device Id
+Retrieves missing KBs (security updates) by device ID
## HTTP request
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
index e91d137857..6b6bf2db5f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -1,6 +1,6 @@
---
title: Get missing KBs by software ID
-description: Retrieves missing KBs by software ID
+description: Retrieves missing security updates by software ID
keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,11 +18,14 @@ ms.topic: article
# Get missing KBs by software ID
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Retrieves missing KBs by software ID
+Retrieves missing KBs (security updates) by software ID
## Permissions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
index 3ecec47c0d..a43102c733 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get package SAS URI API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
index 9254f80562..b7bc3ab58f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -1,96 +1,99 @@
----
-title: Get recommendation by Id
-description: Retrieves a security recommendation by its ID.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by ID
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
- "id": "va-_-google-_-chrome",
- "productName": "chrome",
- "recommendationName": "Update Chrome",
- "weaknesses": 38,
- "vendor": "google",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 3.9441860465116285,
- "totalMachineCount": 6,
- "exposedMachinesCount": 5,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Chrome"
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get recommendation by Id
+description: Retrieves a security recommendation by its ID.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by ID
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
+ "id": "va-_-google-_-chrome",
+ "productName": "chrome",
+ "recommendationName": "Update Chrome",
+ "weaknesses": 38,
+ "vendor": "google",
+ "recommendedVersion": "",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 3.9441860465116285,
+ "totalMachineCount": 6,
+ "exposedMachinesCount": 5,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Chrome"
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 9c2965fd9c..2bdfb4a6e4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -1,85 +1,88 @@
----
-title: List devices by recommendation
-description: Retrieves a list of devices associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
- "computerDnsName": "niw_pc",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: List devices by recommendation
+description: Retrieves a list of devices associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List devices by recommendation
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of devices associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/machineReferences
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
+ "value": [
+ {
+ "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
+ "computerDnsName": "niw_pc",
+ "osPlatform": "Windows10",
+ "rbacGroupName": "GroupTwo"
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
index d4e5a895ef..449bb2bd1d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -1,84 +1,87 @@
----
-title: Get recommendation by software
-description: Retrieves a security recommendation related to a specific software.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by software
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation related to a specific software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
- "id": "google-_-chrome",
- "name": "chrome",
- "vendor": "google",
- "weaknesses": 38,
- "publicExploit": false,
- "activeAlert": false,
- "exposedMachines": 5,
- "impactScore": 3.94418621
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get recommendation by software
+description: Retrieves a security recommendation related to a specific software.
+keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get recommendation by software
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a security recommendation related to a specific software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
+ "id": "google-_-chrome",
+ "name": "chrome",
+ "vendor": "google",
+ "weaknesses": 38,
+ "publicExploit": false,
+ "activeAlert": false,
+ "exposedMachines": 5,
+ "impactScore": 3.94418621
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
index e7e5725b8a..156cef803c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -1,94 +1,97 @@
----
-title: List vulnerabilities by recommendation
-description: Retrieves a list of vulnerabilities associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of vulnerabilities associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-13748",
- "name": "CVE-2019-13748",
- "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
- "severity": "Medium",
- "cvssV3": 6.5,
- "exposedMachines": 0,
- "publishedOn": "2019-12-10T00:00:00Z",
- "updatedOn": "2019-12-16T12:15:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: List vulnerabilities by recommendation
+description: Retrieves a list of vulnerabilities associated with the security recommendation.
+keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by recommendation
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of vulnerabilities associated with the security recommendation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/recommendations/{id}/vulnerabilities
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2019-13748",
+ "name": "CVE-2019-13748",
+ "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
+ "severity": "Medium",
+ "cvssV3": 6.5,
+ "exposedMachines": 0,
+ "publishedOn": "2019-12-10T00:00:00Z",
+ "updatedOn": "2019-12-16T12:15:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index 67e29e0532..dffd2a0613 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -1,101 +1,104 @@
----
-title: Get security recommendations
-description: Retrieves a collection of security recommendations related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get security recommendations
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of security recommendations related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-git-scm-_-git",
- "productName": "git",
- "recommendationName": "Update Git to version 2.24.1.2",
- "weaknesses": 3,
- "vendor": "git-scm",
- "recommendedVersion": "2.24.1.2",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 0,
- "totalMachineCount": 0,
- "exposedMachinesCount": 1,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Git"
- },
-…
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
+---
+title: Get security recommendations
+description: Retrieves a collection of security recommendations related to a given device ID.
+keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get security recommendations
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a collection of security recommendations related to a given device ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+
+## HTTP request
+```
+GET /api/machines/{machineId}/recommendations
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the security recommendations in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
+ "value": [
+ {
+ "id": "va-_-git-scm-_-git",
+ "productName": "git",
+ "recommendationName": "Update Git to version 2.24.1.2",
+ "weaknesses": 3,
+ "vendor": "git-scm",
+ "recommendedVersion": "2.24.1.2",
+ "recommendationCategory": "Application",
+ "subCategory": "",
+ "severityScore": 0,
+ "publicExploit": false,
+ "activeAlert": false,
+ "associatedThreats": [],
+ "remediationType": "Update",
+ "status": "Active",
+ "configScoreImpact": 0,
+ "exposureImpact": 0,
+ "totalMachineCount": 0,
+ "exposedMachinesCount": 1,
+ "nonProductivityImpactedAssets": 0,
+ "relatedComponent": "Git"
+ },
+…
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index 2276c784bf..0074439db0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -1,86 +1,89 @@
----
-title: Get software by Id
-description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get software by Id
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves software details by ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the specified software data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: Get software by Id
+description: Retrieves a list of exposure scores by device group.
+keywords: apis, graph api, supported apis, get, software, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get software by Id
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves software details by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the specified software data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
index 159f48e08e..e9b64f2ad1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -1,91 +1,94 @@
----
-title: List software version distribution
-description: Retrieves a list of your organization's software version distribution
-keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software version distribution
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of your organization's software version distribution.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/distributions
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a list of software distributions data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
- "value": [
- {
- "version": "11.0.17134.1039",
- "installations": 1,
- "vulnerabilities": 11
- },
- {
- "version": "11.0.18363.535",
- "installations": 750,
- "vulnerabilities": 0
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List software version distribution
+description: Retrieves a list of your organization's software version distribution
+keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software version distribution
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves a list of your organization's software version distribution.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/distributions
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a list of software distributions data in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
+ "value": [
+ {
+ "version": "11.0.17134.1039",
+ "installations": 1,
+ "vulnerabilities": 11
+ },
+ {
+ "version": "11.0.18363.535",
+ "installations": 750,
+ "vulnerabilities": 0
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
index 883c240d11..e205e5f5b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -1,90 +1,93 @@
----
-title: List software
-description: Retrieves a list of software inventory
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software inventory API
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Retrieves the organization software inventory.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software inventory in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
- "value": [
- {
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
+---
+title: List software
+description: Retrieves a list of software inventory
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List software inventory API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+Retrieves the organization software inventory.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the software inventory in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
+ "value": [
+ {
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+ }
+ ...
+ ]
+}
+```
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
index 04eec16b78..0b87266339 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Become a Microsoft Defender ATP partner
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -29,7 +32,7 @@ To become a Microsoft Defender ATP solution partner, you'll need to follow and c
Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP.
## Step 2: Fulfill the solution validation and certification requirements
-The best way for technology partners to certify their integration works, is to have a joint customer approve the suggested integration design and have it tested and demoed to the Microsoft Defender ATP team.
+The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender ATP team.
Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
index 7ac3ed480b..41c5a0ebdd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
@@ -1,6 +1,6 @@
---
title: List Indicators API
-description: Use this API to create calls related to get Indicators collection
+description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection.
keywords: apis, public api, supported apis, Indicators collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# List Indicators API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
index 026cdb7ca3..80617258d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
@@ -1,6 +1,6 @@
---
title: Get user information API
-description: Retrieve a User entity by key such as user name or domain.
+description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, user, user information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -17,6 +17,9 @@ ms.topic: article
---
# Get user information API
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index 0a052683b6..3d00668c3b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -18,6 +18,9 @@ ms.topic: article
# Get user related alerts API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -77,4 +80,4 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/users/user1/alerts
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index e55f0b9188..28c129e51c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -1,6 +1,6 @@
---
title: Get user related machines API
-description: Retrieves a collection of devices related to a given user ID.
+description: Learn how to use the Get user related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Get user related machines API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
index 42147bc353..4a5514ff10 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@@ -1,93 +1,96 @@
----
-title: List vulnerabilities by software
-description: Retrieve a list of vulnerabilities in the installed software.
-keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by software
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of vulnerabilities in the installed software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/vulnerabilities
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2017-0140",
- "name": "CVE-2017-0140",
- "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
- "severity": "Medium",
- "cvssV3": 4.2,
- "exposedMachines": 1,
- "publishedOn": "2017-03-14T00:00:00Z",
- "updatedOn": "2019-10-03T00:03:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
+---
+title: List vulnerabilities by software
+description: Retrieve a list of vulnerabilities in the installed software.
+keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# List vulnerabilities by software
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieve a list of vulnerabilities in the installed software.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+
+## HTTP request
+```
+GET /api/Software/{Id}/vulnerabilities
+```
+
+## Request headers
+
+| Name | Type | Description
+|:--------------|:-------|:--------------|
+| Authorization | String | Bearer {token}.**Required**.
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
+ "value": [
+ {
+ "id": "CVE-2017-0140",
+ "name": "CVE-2017-0140",
+ "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
+ "severity": "Medium",
+ "cvssV3": 4.2,
+ "exposedMachines": 1,
+ "publishedOn": "2017-03-14T00:00:00Z",
+ "updatedOn": "2019-10-03T00:03:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
+ ]
+}
+```
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
index a7ec42d80f..27b633e634 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@@ -1,88 +1,91 @@
----
-title: Get vulnerability by Id
-description: Retrieves vulnerability information by its ID.
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get vulnerability by ID
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves vulnerability information by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
+---
+title: Get vulnerability by Id
+description: Retrieves vulnerability information by its ID.
+keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Get vulnerability by ID
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+Retrieves vulnerability information by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
+
+Permission type | Permission | Permission display name
+:---|:---|:---
+Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+
+## HTTP request
+```
+GET /api/vulnerabilities/{cveId}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK with the vulnerability information in the body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
+```
+
+**Response**
+
+Here is an example of the response.
+
+```json
+{
+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
+ "id": "CVE-2019-0608",
+ "name": "CVE-2019-0608",
+ "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
+ "severity": "Medium",
+ "cvssV3": 4.3,
+ "exposedMachines": 4,
+ "publishedOn": "2019-10-08T00:00:00Z",
+ "updatedOn": "2019-12-16T16:20:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+}
+```
+## Related topics
+- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
index fc801373b0..1feba6fc45 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
@@ -1,4 +1,4 @@
----
+---
title: Grant access to managed security service provider (MSSP)
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
keywords: managed security service provider, mssp, configure, integration
@@ -19,6 +19,9 @@ ms.topic: article
# Grant managed security service provider (MSSP) access (preview)
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -53,7 +56,7 @@ To implement a multi-tenant delegated access solution, take the following steps:
- Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via “Assigned user groups”.
+ Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via Assigned user groups.
Two possible roles:
@@ -117,13 +120,13 @@ To implement a multi-tenant delegated access solution, take the following steps:
Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
- To do so, access the customer’s myaccess using:
+ To do so, access the customers myaccess using:
`https://myaccess.microsoft.com/@`.
Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/`
2. Approve or deny requests in the **Approvals** section of the UI.
- At this point, analyst access has been provisioned, and each analyst should be able to access the customer’s Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=`
+ At this point, analyst access has been provisioned, and each analyst should be able to access the customers Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=`
## Related topics
- [Access the MSSP customer portal](access-mssp-portal.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
index 30e6e789bd..1b411df76d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Helpful Microsoft Defender Advanced Threat Protection resources
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -57,4 +60,4 @@ Access helpful resources such as links to blogs and other resources related to
](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271)
- [How automation brings value to your security
- teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)
\ No newline at end of file
+ teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/04245db47e1456f22d473980089ca69e.png b/windows/security/threat-protection/microsoft-defender-atp/images/04245db47e1456f22d473980089ca69e.png
new file mode 100644
index 0000000000..9a854aad6a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/04245db47e1456f22d473980089ca69e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png b/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png
index c0227b91bb..eac5e07fae 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png and b/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/099eb1b3e2d9a4fed03e9b7ef1de9765.png b/windows/security/threat-protection/microsoft-defender-atp/images/099eb1b3e2d9a4fed03e9b7ef1de9765.png
new file mode 100644
index 0000000000..33da3dde26
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/099eb1b3e2d9a4fed03e9b7ef1de9765.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/09a275e321268e5e3ac0c0865d3e2db5.png b/windows/security/threat-protection/microsoft-defender-atp/images/09a275e321268e5e3ac0c0865d3e2db5.png
new file mode 100644
index 0000000000..b033d8f6b8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/09a275e321268e5e3ac0c0865d3e2db5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0adb21c13206861ba9b30a879ade93d3.png b/windows/security/threat-protection/microsoft-defender-atp/images/0adb21c13206861ba9b30a879ade93d3.png
new file mode 100644
index 0000000000..b4a524f421
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0adb21c13206861ba9b30a879ade93d3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0add8019b85a453b47fa5c402c72761b.png b/windows/security/threat-protection/microsoft-defender-atp/images/0add8019b85a453b47fa5c402c72761b.png
new file mode 100644
index 0000000000..2e663efc76
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0add8019b85a453b47fa5c402c72761b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0c04975c74746a5cdb085e1d9386e713.png b/windows/security/threat-protection/microsoft-defender-atp/images/0c04975c74746a5cdb085e1d9386e713.png
new file mode 100644
index 0000000000..808a10141e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0c04975c74746a5cdb085e1d9386e713.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0dde8a4c41110dbc398c485433a81359.png b/windows/security/threat-protection/microsoft-defender-atp/images/0dde8a4c41110dbc398c485433a81359.png
new file mode 100644
index 0000000000..1933fdec00
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0dde8a4c41110dbc398c485433a81359.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0df36fc308ba569db204ee32db3fb40a.png b/windows/security/threat-protection/microsoft-defender-atp/images/0df36fc308ba569db204ee32db3fb40a.png
new file mode 100644
index 0000000000..cb2c5784fd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0df36fc308ba569db204ee32db3fb40a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png b/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png
index cc772a98e5..6e7df1e6a3 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png and b/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/10ab98358b2d602f3f67618735fa82fb.png b/windows/security/threat-protection/microsoft-defender-atp/images/10ab98358b2d602f3f67618735fa82fb.png
new file mode 100644
index 0000000000..30b0d05525
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/10ab98358b2d602f3f67618735fa82fb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1213872db5833aa8be535da57653219f.png b/windows/security/threat-protection/microsoft-defender-atp/images/1213872db5833aa8be535da57653219f.png
new file mode 100644
index 0000000000..211267d73d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1213872db5833aa8be535da57653219f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1359fbfdd8bd9ee74c3bb487a05b956c.png b/windows/security/threat-protection/microsoft-defender-atp/images/1359fbfdd8bd9ee74c3bb487a05b956c.png
new file mode 100644
index 0000000000..ebba81f9c4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1359fbfdd8bd9ee74c3bb487a05b956c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png
new file mode 100644
index 0000000000..e1003dbe5c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1626d138e6309c6e87bfaab64f5ccf7b.png b/windows/security/threat-protection/microsoft-defender-atp/images/1626d138e6309c6e87bfaab64f5ccf7b.png
new file mode 100644
index 0000000000..e9ad710109
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1626d138e6309c6e87bfaab64f5ccf7b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png
new file mode 100644
index 0000000000..d631a23a7a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png
new file mode 100644
index 0000000000..624db40b02
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png
new file mode 100644
index 0000000000..00757fde1a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1aa5aaa0a387f4e16ce55b66facc77d1.png b/windows/security/threat-protection/microsoft-defender-atp/images/1aa5aaa0a387f4e16ce55b66facc77d1.png
new file mode 100644
index 0000000000..b0fb764d52
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1aa5aaa0a387f4e16ce55b66facc77d1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png b/windows/security/threat-protection/microsoft-defender-atp/images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png
new file mode 100644
index 0000000000..2da3d1c9ca
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1c08d097829863778d562c10c5f92b67.png b/windows/security/threat-protection/microsoft-defender-atp/images/1c08d097829863778d562c10c5f92b67.png
new file mode 100644
index 0000000000..9604e5fc29
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1c08d097829863778d562c10c5f92b67.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1c9bd3f68db20b80193dac18f33c22d0.png b/windows/security/threat-protection/microsoft-defender-atp/images/1c9bd3f68db20b80193dac18f33c22d0.png
new file mode 100644
index 0000000000..00a6103e30
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1c9bd3f68db20b80193dac18f33c22d0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1f72e9c15eaafcabf1504397e99be311.png b/windows/security/threat-protection/microsoft-defender-atp/images/1f72e9c15eaafcabf1504397e99be311.png
new file mode 100644
index 0000000000..a4a5bb1008
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1f72e9c15eaafcabf1504397e99be311.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png
new file mode 100644
index 0000000000..3222b1f66d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png b/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png
index 1c1d7284c9..b6a05adc69 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png and b/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/20e33b98eb54447881dc6c89e58b890f.png b/windows/security/threat-protection/microsoft-defender-atp/images/20e33b98eb54447881dc6c89e58b890f.png
new file mode 100644
index 0000000000..c8722ddd31
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/20e33b98eb54447881dc6c89e58b890f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/216253cbfb6ae738b9f13496b9c799fd.png b/windows/security/threat-protection/microsoft-defender-atp/images/216253cbfb6ae738b9f13496b9c799fd.png
new file mode 100644
index 0000000000..35f0fdcd33
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/216253cbfb6ae738b9f13496b9c799fd.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/219bef7e5ebfdd0e2078f4a27535296a.png b/windows/security/threat-protection/microsoft-defender-atp/images/219bef7e5ebfdd0e2078f4a27535296a.png
new file mode 100644
index 0000000000..ae40584eb5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/219bef7e5ebfdd0e2078f4a27535296a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/21de3658bf58b1b767a17358a3f06341.png b/windows/security/threat-protection/microsoft-defender-atp/images/21de3658bf58b1b767a17358a3f06341.png
new file mode 100644
index 0000000000..f50308e890
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/21de3658bf58b1b767a17358a3f06341.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/22cb439de958101c0a12f3038f905b27.png b/windows/security/threat-protection/microsoft-defender-atp/images/22cb439de958101c0a12f3038f905b27.png
new file mode 100644
index 0000000000..0ee45bfe4d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/22cb439de958101c0a12f3038f905b27.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png
new file mode 100644
index 0000000000..8979120d8f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/24e290f5fc309932cf41f3a280d22c14.png b/windows/security/threat-protection/microsoft-defender-atp/images/24e290f5fc309932cf41f3a280d22c14.png
new file mode 100644
index 0000000000..38c794c2e4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/24e290f5fc309932cf41f3a280d22c14.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/253274b33e74f3f5b8d475cf8692ce4e.png b/windows/security/threat-protection/microsoft-defender-atp/images/253274b33e74f3f5b8d475cf8692ce4e.png
new file mode 100644
index 0000000000..940d23f8e7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/253274b33e74f3f5b8d475cf8692ce4e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/264493cd01e62c7085659d6fdc26dc91.png b/windows/security/threat-protection/microsoft-defender-atp/images/264493cd01e62c7085659d6fdc26dc91.png
new file mode 100644
index 0000000000..f5e8adcd57
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/264493cd01e62c7085659d6fdc26dc91.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/26f0f7a5f3a6d95aa32a9e3d6d1a38a4.png b/windows/security/threat-protection/microsoft-defender-atp/images/26f0f7a5f3a6d95aa32a9e3d6d1a38a4.png
new file mode 100644
index 0000000000..e887ffeb72
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/26f0f7a5f3a6d95aa32a9e3d6d1a38a4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png
new file mode 100644
index 0000000000..6b378bc697
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png b/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png
new file mode 100644
index 0000000000..ef1fa51714
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png
new file mode 100644
index 0000000000..ac2634f33b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2c49b16cd112729b3719724f581e6882.png b/windows/security/threat-protection/microsoft-defender-atp/images/2c49b16cd112729b3719724f581e6882.png
new file mode 100644
index 0000000000..4b2410ad5e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2c49b16cd112729b3719724f581e6882.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2f66647cbcefaa4088a5df19d9203afb.png b/windows/security/threat-protection/microsoft-defender-atp/images/2f66647cbcefaa4088a5df19d9203afb.png
new file mode 100644
index 0000000000..b33ac87a2c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2f66647cbcefaa4088a5df19d9203afb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/30be88b63abc5e8dde11b73f1b1ade6a.png b/windows/security/threat-protection/microsoft-defender-atp/images/30be88b63abc5e8dde11b73f1b1ade6a.png
new file mode 100644
index 0000000000..af749f43cc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/30be88b63abc5e8dde11b73f1b1ade6a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3160906404bc5a2edf84d1d015894e3b.png b/windows/security/threat-protection/microsoft-defender-atp/images/3160906404bc5a2edf84d1d015894e3b.png
new file mode 100644
index 0000000000..b7ab38e50d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3160906404bc5a2edf84d1d015894e3b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/321ba245f14743c1d5d51c15e99deecc.png b/windows/security/threat-protection/microsoft-defender-atp/images/321ba245f14743c1d5d51c15e99deecc.png
new file mode 100644
index 0000000000..14d3cfb8dd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/321ba245f14743c1d5d51c15e99deecc.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/335aff58950ce62d1dabc289ecdce9ed.png b/windows/security/threat-protection/microsoft-defender-atp/images/335aff58950ce62d1dabc289ecdce9ed.png
new file mode 100644
index 0000000000..b536944e24
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/335aff58950ce62d1dabc289ecdce9ed.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/33e2b2a1611fdddf6b5b79e54496e3bb.png b/windows/security/threat-protection/microsoft-defender-atp/images/33e2b2a1611fdddf6b5b79e54496e3bb.png
new file mode 100644
index 0000000000..1a95f07037
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/33e2b2a1611fdddf6b5b79e54496e3bb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/33f1ecdc7d4872555418bbc3efe4b7a3.png b/windows/security/threat-protection/microsoft-defender-atp/images/33f1ecdc7d4872555418bbc3efe4b7a3.png
new file mode 100644
index 0000000000..06aed3038e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/33f1ecdc7d4872555418bbc3efe4b7a3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png b/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png
index e08fb904df..c8872c4cfb 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png and b/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/368d35b3d6179af92ffdbfd93b226b69.png b/windows/security/threat-protection/microsoft-defender-atp/images/368d35b3d6179af92ffdbfd93b226b69.png
new file mode 100644
index 0000000000..dea45e1206
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/368d35b3d6179af92ffdbfd93b226b69.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png
new file mode 100644
index 0000000000..157e426bc0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png
new file mode 100644
index 0000000000..32a776aef9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/38c67ee1905c4747c3b26c8eba57726b.png b/windows/security/threat-protection/microsoft-defender-atp/images/38c67ee1905c4747c3b26c8eba57726b.png
new file mode 100644
index 0000000000..fbb8656f8b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/38c67ee1905c4747c3b26c8eba57726b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/39cf120d3ac3652292d8d1b6d057bd60.png b/windows/security/threat-protection/microsoft-defender-atp/images/39cf120d3ac3652292d8d1b6d057bd60.png
new file mode 100644
index 0000000000..6d201f5e90
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/39cf120d3ac3652292d8d1b6d057bd60.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3c0a231f83cfb5a256d99ae575400d9b.png b/windows/security/threat-protection/microsoft-defender-atp/images/3c0a231f83cfb5a256d99ae575400d9b.png
new file mode 100644
index 0000000000..ebe69e0005
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3c0a231f83cfb5a256d99ae575400d9b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3ced5383a6be788486d89d407d042f28.png b/windows/security/threat-protection/microsoft-defender-atp/images/3ced5383a6be788486d89d407d042f28.png
new file mode 100644
index 0000000000..4ff3e0fb7c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3ced5383a6be788486d89d407d042f28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4139848399185472abaa0ce2f34a883a.png b/windows/security/threat-protection/microsoft-defender-atp/images/4139848399185472abaa0ce2f34a883a.png
new file mode 100644
index 0000000000..de3cbeb5bb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4139848399185472abaa0ce2f34a883a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4239ca0528efb0734e4ca0b490bfb22d.png b/windows/security/threat-protection/microsoft-defender-atp/images/4239ca0528efb0734e4ca0b490bfb22d.png
new file mode 100644
index 0000000000..8bd862cd66
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4239ca0528efb0734e4ca0b490bfb22d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png
new file mode 100644
index 0000000000..9f4126d345
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png
new file mode 100644
index 0000000000..6ffdab3e67
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/441aa2ecd36abadcdd8aed03556080b5.png b/windows/security/threat-protection/microsoft-defender-atp/images/441aa2ecd36abadcdd8aed03556080b5.png
new file mode 100644
index 0000000000..9d1b985470
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/441aa2ecd36abadcdd8aed03556080b5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/45156aa74077fc82cd4223f3dcb8cd76.png b/windows/security/threat-protection/microsoft-defender-atp/images/45156aa74077fc82cd4223f3dcb8cd76.png
new file mode 100644
index 0000000000..041e7d946c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/45156aa74077fc82cd4223f3dcb8cd76.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png
new file mode 100644
index 0000000000..7f542a3c8c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png
new file mode 100644
index 0000000000..d0679c71a7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4922c0fcdde4c7f73242b13bf5e35c19.png b/windows/security/threat-protection/microsoft-defender-atp/images/4922c0fcdde4c7f73242b13bf5e35c19.png
new file mode 100644
index 0000000000..3e31d5e244
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4922c0fcdde4c7f73242b13bf5e35c19.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4bac6ce277aedfb4a674f2d9fcb2599a.png b/windows/security/threat-protection/microsoft-defender-atp/images/4bac6ce277aedfb4a674f2d9fcb2599a.png
new file mode 100644
index 0000000000..15c5639231
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4bac6ce277aedfb4a674f2d9fcb2599a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4cc3cfc683ae36ff906562a61908d132.png b/windows/security/threat-protection/microsoft-defender-atp/images/4cc3cfc683ae36ff906562a61908d132.png
new file mode 100644
index 0000000000..6aee2fb1b1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4cc3cfc683ae36ff906562a61908d132.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4d2d1d4ee13d3f840f425924c3df0d51.png b/windows/security/threat-protection/microsoft-defender-atp/images/4d2d1d4ee13d3f840f425924c3df0d51.png
new file mode 100644
index 0000000000..83ef8509be
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4d2d1d4ee13d3f840f425924c3df0d51.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png
new file mode 100644
index 0000000000..2f6d99294b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4ec20e72c8aed9a4c16912e01692436a.png b/windows/security/threat-protection/microsoft-defender-atp/images/4ec20e72c8aed9a4c16912e01692436a.png
new file mode 100644
index 0000000000..e3d3692c75
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4ec20e72c8aed9a4c16912e01692436a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png b/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png
index 74de422642..ce6de17e48 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png and b/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png
new file mode 100644
index 0000000000..88682c78a0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/526b83fbdbb31265b3d0c1e5fbbdc33a.png b/windows/security/threat-protection/microsoft-defender-atp/images/526b83fbdbb31265b3d0c1e5fbbdc33a.png
new file mode 100644
index 0000000000..6b4bd29da7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/526b83fbdbb31265b3d0c1e5fbbdc33a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/526e978761fc571cca06907da7b01fd6.png b/windows/security/threat-protection/microsoft-defender-atp/images/526e978761fc571cca06907da7b01fd6.png
new file mode 100644
index 0000000000..2ee505158e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/526e978761fc571cca06907da7b01fd6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/54be9c6ed5b24cebe628dc3cd9ca4089.png b/windows/security/threat-protection/microsoft-defender-atp/images/54be9c6ed5b24cebe628dc3cd9ca4089.png
new file mode 100644
index 0000000000..b809759dcb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/54be9c6ed5b24cebe628dc3cd9ca4089.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png
new file mode 100644
index 0000000000..ca1ff72715
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/56dac54634d13b2d3948ab50e8d3ef21.png b/windows/security/threat-protection/microsoft-defender-atp/images/56dac54634d13b2d3948ab50e8d3ef21.png
new file mode 100644
index 0000000000..23770e3a97
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/56dac54634d13b2d3948ab50e8d3ef21.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/56e6f6259b9ce3c1706ed8d666ae4947.png b/windows/security/threat-protection/microsoft-defender-atp/images/56e6f6259b9ce3c1706ed8d666ae4947.png
new file mode 100644
index 0000000000..163da50934
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/56e6f6259b9ce3c1706ed8d666ae4947.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/57aa4d21e2ccc65466bf284701d4e961.png b/windows/security/threat-protection/microsoft-defender-atp/images/57aa4d21e2ccc65466bf284701d4e961.png
new file mode 100644
index 0000000000..d2c3a2f2e5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/57aa4d21e2ccc65466bf284701d4e961.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/57cef926d1b9260fb74a5f460cee887a.png b/windows/security/threat-protection/microsoft-defender-atp/images/57cef926d1b9260fb74a5f460cee887a.png
new file mode 100644
index 0000000000..e3897c4cbe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/57cef926d1b9260fb74a5f460cee887a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5856b765a6ce677caacb130ca36b1a62.png b/windows/security/threat-protection/microsoft-defender-atp/images/5856b765a6ce677caacb130ca36b1a62.png
new file mode 100644
index 0000000000..2e85b376b2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5856b765a6ce677caacb130ca36b1a62.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png
new file mode 100644
index 0000000000..72a6a9e334
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png
new file mode 100644
index 0000000000..5e7cf47523
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png
new file mode 100644
index 0000000000..026b643022
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png
new file mode 100644
index 0000000000..2775ac9cda
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png
new file mode 100644
index 0000000000..fa53f0826c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/625ba6d19e8597f05e4907298a454d28.png b/windows/security/threat-protection/microsoft-defender-atp/images/625ba6d19e8597f05e4907298a454d28.png
new file mode 100644
index 0000000000..b63b06e529
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/625ba6d19e8597f05e4907298a454d28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/632aaab79ae18d0d2b8e0c16b6ba39e2.png b/windows/security/threat-protection/microsoft-defender-atp/images/632aaab79ae18d0d2b8e0c16b6ba39e2.png
new file mode 100644
index 0000000000..8d43285b82
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/632aaab79ae18d0d2b8e0c16b6ba39e2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/633ad26b8bf24ec683c98b2feb884bdf.png b/windows/security/threat-protection/microsoft-defender-atp/images/633ad26b8bf24ec683c98b2feb884bdf.png
new file mode 100644
index 0000000000..e71d428536
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/633ad26b8bf24ec683c98b2feb884bdf.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/644e0f3af40c29e80ca1443535b2fe32.png b/windows/security/threat-protection/microsoft-defender-atp/images/644e0f3af40c29e80ca1443535b2fe32.png
new file mode 100644
index 0000000000..b37ef7c8b5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/644e0f3af40c29e80ca1443535b2fe32.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png
new file mode 100644
index 0000000000..d4fd512845
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/68bdbc5754dfc80aa1a024dde0fce7b0.png b/windows/security/threat-protection/microsoft-defender-atp/images/68bdbc5754dfc80aa1a024dde0fce7b0.png
new file mode 100644
index 0000000000..774f727137
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/68bdbc5754dfc80aa1a024dde0fce7b0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png
new file mode 100644
index 0000000000..8db6715ccd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6c8b406ee224335a8c65d06953dc756e.png b/windows/security/threat-protection/microsoft-defender-atp/images/6c8b406ee224335a8c65d06953dc756e.png
new file mode 100644
index 0000000000..65870c57ee
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6c8b406ee224335a8c65d06953dc756e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png
new file mode 100644
index 0000000000..24eede07b8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6de50b4a897408ddc6ded56a09c09fe2.png b/windows/security/threat-protection/microsoft-defender-atp/images/6de50b4a897408ddc6ded56a09c09fe2.png
new file mode 100644
index 0000000000..4251c7b374
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6de50b4a897408ddc6ded56a09c09fe2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6e48e7b29daf50afddcc6c8c7d59fd64.png b/windows/security/threat-protection/microsoft-defender-atp/images/6e48e7b29daf50afddcc6c8c7d59fd64.png
new file mode 100644
index 0000000000..e811de74c2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6e48e7b29daf50afddcc6c8c7d59fd64.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6eda18a64a660fa149575454e54e7156.png b/windows/security/threat-protection/microsoft-defender-atp/images/6eda18a64a660fa149575454e54e7156.png
new file mode 100644
index 0000000000..edf5e96a06
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6eda18a64a660fa149575454e54e7156.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6f093e42856753a3955cab7ee14f12d9.png b/windows/security/threat-protection/microsoft-defender-atp/images/6f093e42856753a3955cab7ee14f12d9.png
new file mode 100644
index 0000000000..8bb38c4958
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6f093e42856753a3955cab7ee14f12d9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6f85269276b2278eca4bce84f935f87b.png b/windows/security/threat-protection/microsoft-defender-atp/images/6f85269276b2278eca4bce84f935f87b.png
new file mode 100644
index 0000000000..11d8c78bcf
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6f85269276b2278eca4bce84f935f87b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6fd0cb2bbb0e60a623829c91fd0826ab.png b/windows/security/threat-protection/microsoft-defender-atp/images/6fd0cb2bbb0e60a623829c91fd0826ab.png
new file mode 100644
index 0000000000..32d1b991bd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6fd0cb2bbb0e60a623829c91fd0826ab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/715ae7ec8d6a262c489f94d14e1e51bb.png b/windows/security/threat-protection/microsoft-defender-atp/images/715ae7ec8d6a262c489f94d14e1e51bb.png
new file mode 100644
index 0000000000..bfe95454d9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/715ae7ec8d6a262c489f94d14e1e51bb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/718b9d609f9f77c8b13ba88c4c0abe5d.png b/windows/security/threat-protection/microsoft-defender-atp/images/718b9d609f9f77c8b13ba88c4c0abe5d.png
new file mode 100644
index 0000000000..46b0e010bd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/718b9d609f9f77c8b13ba88c4c0abe5d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7697c33b9fd376ae5a8023d01f9d3857.png b/windows/security/threat-protection/microsoft-defender-atp/images/7697c33b9fd376ae5a8023d01f9d3857.png
new file mode 100644
index 0000000000..a037ed737b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7697c33b9fd376ae5a8023d01f9d3857.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/770827925b3f572fc027e7d50dcc415d.png b/windows/security/threat-protection/microsoft-defender-atp/images/770827925b3f572fc027e7d50dcc415d.png
new file mode 100644
index 0000000000..82bd4898af
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/770827925b3f572fc027e7d50dcc415d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/77d14ea36bea97c4607af0f70c88b812.png b/windows/security/threat-protection/microsoft-defender-atp/images/77d14ea36bea97c4607af0f70c88b812.png
new file mode 100644
index 0000000000..a3ce68e15e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/77d14ea36bea97c4607af0f70c88b812.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png
new file mode 100644
index 0000000000..2159bbe1ad
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7acc1b24846d3388d3b29c1d7a2dd141.png b/windows/security/threat-protection/microsoft-defender-atp/images/7acc1b24846d3388d3b29c1d7a2dd141.png
new file mode 100644
index 0000000000..4ef3ad1831
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7acc1b24846d3388d3b29c1d7a2dd141.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7f9138053dbcbf928e5182ee7b295ebe.png b/windows/security/threat-protection/microsoft-defender-atp/images/7f9138053dbcbf928e5182ee7b295ebe.png
new file mode 100644
index 0000000000..474e281699
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7f9138053dbcbf928e5182ee7b295ebe.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/809cef630281b64b8f07f20913b0039b.png b/windows/security/threat-protection/microsoft-defender-atp/images/809cef630281b64b8f07f20913b0039b.png
new file mode 100644
index 0000000000..b31c48693d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/809cef630281b64b8f07f20913b0039b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/846ca6a7a4be5be7111744091d539cba.png b/windows/security/threat-protection/microsoft-defender-atp/images/846ca6a7a4be5be7111744091d539cba.png
new file mode 100644
index 0000000000..b0dd1554ef
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/846ca6a7a4be5be7111744091d539cba.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/847b70e54ed04787e415f5180414b310.png b/windows/security/threat-protection/microsoft-defender-atp/images/847b70e54ed04787e415f5180414b310.png
new file mode 100644
index 0000000000..884a5e815e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/847b70e54ed04787e415f5180414b310.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png b/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png
index 9c2f6b242e..dad2a98f43 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png and b/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png
new file mode 100644
index 0000000000..7935e15763
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8c3bdc3924488542295f29c93af3881f.png b/windows/security/threat-protection/microsoft-defender-atp/images/8c3bdc3924488542295f29c93af3881f.png
new file mode 100644
index 0000000000..f0b6205a1f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8c3bdc3924488542295f29c93af3881f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8d80fe378a31143db9be0bacf7ddc5a3.png b/windows/security/threat-protection/microsoft-defender-atp/images/8d80fe378a31143db9be0bacf7ddc5a3.png
new file mode 100644
index 0000000000..943ede3988
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8d80fe378a31143db9be0bacf7ddc5a3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8dde76b5463047423f8637c86b05c29d.png b/windows/security/threat-protection/microsoft-defender-atp/images/8dde76b5463047423f8637c86b05c29d.png
new file mode 100644
index 0000000000..b15631e21b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8dde76b5463047423f8637c86b05c29d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8e69f867664668796a3b2904896f0436.png b/windows/security/threat-protection/microsoft-defender-atp/images/8e69f867664668796a3b2904896f0436.png
new file mode 100644
index 0000000000..aba654cde9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8e69f867664668796a3b2904896f0436.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png
new file mode 100644
index 0000000000..82c5aa9d19
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8fb4cc03721e1efb4a15867d5241ebfb.png b/windows/security/threat-protection/microsoft-defender-atp/images/8fb4cc03721e1efb4a15867d5241ebfb.png
new file mode 100644
index 0000000000..df6134c572
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8fb4cc03721e1efb4a15867d5241ebfb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png b/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png
index 246439b6ea..304ca9217b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png and b/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/920e433f440fa1d3d298e6a2a43d4811.png b/windows/security/threat-protection/microsoft-defender-atp/images/920e433f440fa1d3d298e6a2a43d4811.png
new file mode 100644
index 0000000000..95f726c325
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/920e433f440fa1d3d298e6a2a43d4811.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png
new file mode 100644
index 0000000000..41be549fd6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/95313facfdd5e1ea361981e0a2478fec.png b/windows/security/threat-protection/microsoft-defender-atp/images/95313facfdd5e1ea361981e0a2478fec.png
new file mode 100644
index 0000000000..d4638f0643
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/95313facfdd5e1ea361981e0a2478fec.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/98acea3750113b8dbab334296e833003.png b/windows/security/threat-protection/microsoft-defender-atp/images/98acea3750113b8dbab334296e833003.png
new file mode 100644
index 0000000000..12867aecde
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/98acea3750113b8dbab334296e833003.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/990742cd9a15ca9fdd37c9f695d1b9f4.png b/windows/security/threat-protection/microsoft-defender-atp/images/990742cd9a15ca9fdd37c9f695d1b9f4.png
new file mode 100644
index 0000000000..0de20fa301
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/990742cd9a15ca9fdd37c9f695d1b9f4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/99679a7835b0d27d0a222bc3fdaf7f3b.png b/windows/security/threat-protection/microsoft-defender-atp/images/99679a7835b0d27d0a222bc3fdaf7f3b.png
new file mode 100644
index 0000000000..fd2706aa68
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/99679a7835b0d27d0a222bc3fdaf7f3b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9970046795448057693973a976da3d1d.png b/windows/security/threat-protection/microsoft-defender-atp/images/9970046795448057693973a976da3d1d.png
new file mode 100644
index 0000000000..b4e92a0f51
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9970046795448057693973a976da3d1d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9d6e5386e652e00715ff348af72671c6.png b/windows/security/threat-protection/microsoft-defender-atp/images/9d6e5386e652e00715ff348af72671c6.png
new file mode 100644
index 0000000000..7c4bf5f298
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9d6e5386e652e00715ff348af72671c6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9e31ba00bcdd0bd8c1d1e53808581a2d.png b/windows/security/threat-protection/microsoft-defender-atp/images/9e31ba00bcdd0bd8c1d1e53808581a2d.png
new file mode 100644
index 0000000000..a604180a07
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9e31ba00bcdd0bd8c1d1e53808581a2d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9f09cc4cd841559dd389fba7dc57e5e0.png b/windows/security/threat-protection/microsoft-defender-atp/images/9f09cc4cd841559dd389fba7dc57e5e0.png
new file mode 100644
index 0000000000..c636679f40
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9f09cc4cd841559dd389fba7dc57e5e0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9fc17529e5577eefd773c658ec576a7d.png b/windows/security/threat-protection/microsoft-defender-atp/images/9fc17529e5577eefd773c658ec576a7d.png
new file mode 100644
index 0000000000..f352977ac3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9fc17529e5577eefd773c658ec576a7d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png b/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png
index fac1c0ebaf..e300b1d2fc 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png and b/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a26bd4967cd54bb113a2c8d32894c3de.png b/windows/security/threat-protection/microsoft-defender-atp/images/a26bd4967cd54bb113a2c8d32894c3de.png
new file mode 100644
index 0000000000..4ec19ffeb2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a26bd4967cd54bb113a2c8d32894c3de.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a347307458d6a9bbfa88df7dbe15398f.png b/windows/security/threat-protection/microsoft-defender-atp/images/a347307458d6a9bbfa88df7dbe15398f.png
new file mode 100644
index 0000000000..bfcfa8f717
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a347307458d6a9bbfa88df7dbe15398f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a422e57fe8d45689227e784443e51bd1.png b/windows/security/threat-protection/microsoft-defender-atp/images/a422e57fe8d45689227e784443e51bd1.png
new file mode 100644
index 0000000000..c734a1763a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a422e57fe8d45689227e784443e51bd1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a43bdc97f961de41946baca0e7405138.png b/windows/security/threat-protection/microsoft-defender-atp/images/a43bdc97f961de41946baca0e7405138.png
new file mode 100644
index 0000000000..1c78719148
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a43bdc97f961de41946baca0e7405138.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png
new file mode 100644
index 0000000000..be6531a2f0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png
new file mode 100644
index 0000000000..2111e5ee9c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png
new file mode 100644
index 0000000000..f0d844cbf7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a657018ab7c25284f0a631e83fc63c20.png b/windows/security/threat-protection/microsoft-defender-atp/images/a657018ab7c25284f0a631e83fc63c20.png
new file mode 100644
index 0000000000..3aea41c5e9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a657018ab7c25284f0a631e83fc63c20.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a790e02892e09857213331be078b9c28.png b/windows/security/threat-protection/microsoft-defender-atp/images/a790e02892e09857213331be078b9c28.png
new file mode 100644
index 0000000000..6221e07cb5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a790e02892e09857213331be078b9c28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png
new file mode 100644
index 0000000000..696a84fc1b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/aa9f8f0f5772b7032e0f5606a9094c79.png b/windows/security/threat-protection/microsoft-defender-atp/images/aa9f8f0f5772b7032e0f5606a9094c79.png
new file mode 100644
index 0000000000..ef720de702
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/aa9f8f0f5772b7032e0f5606a9094c79.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/abccba0b620cec06b03d219832667fe1.png b/windows/security/threat-protection/microsoft-defender-atp/images/abccba0b620cec06b03d219832667fe1.png
new file mode 100644
index 0000000000..d7d0f281c2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/abccba0b620cec06b03d219832667fe1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ae3597247b6bc7c5347cf56ab1e820c0.png b/windows/security/threat-protection/microsoft-defender-atp/images/ae3597247b6bc7c5347cf56ab1e820c0.png
new file mode 100644
index 0000000000..0dab513560
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ae3597247b6bc7c5347cf56ab1e820c0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ah-multi-query.png b/windows/security/threat-protection/microsoft-defender-atp/images/ah-multi-query.png
new file mode 100644
index 0000000000..ccf1f87727
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ah-multi-query.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ah-reference.png b/windows/security/threat-protection/microsoft-defender-atp/images/ah-reference.png
new file mode 100644
index 0000000000..1139fe232a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ah-reference.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png
index bc91973dc7..68e16ed3f6 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png and b/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png
index aeedcfb63e..60e08adef5 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png and b/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/arcsight-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/arcsight-logo.png
new file mode 100644
index 0000000000..5ec3542ebe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/arcsight-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/aruba-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/aruba-logo.png
new file mode 100644
index 0000000000..037ca3b833
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/aruba-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png b/windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png
new file mode 100644
index 0000000000..d8a8570fb0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/attackiq-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/attackiq-logo.png
new file mode 100644
index 0000000000..e27d84fd76
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/attackiq-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png
new file mode 100644
index 0000000000..feff40a8fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b334974590d1a1fa4bc034b6190663ea.png b/windows/security/threat-protection/microsoft-defender-atp/images/b334974590d1a1fa4bc034b6190663ea.png
new file mode 100644
index 0000000000..778c97d70a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b334974590d1a1fa4bc034b6190663ea.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png
new file mode 100644
index 0000000000..1b3302994b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b64986618ecc9eec016a7e4c504d9d27.png b/windows/security/threat-protection/microsoft-defender-atp/images/b64986618ecc9eec016a7e4c504d9d27.png
new file mode 100644
index 0000000000..55aced9e5e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b64986618ecc9eec016a7e4c504d9d27.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b6c7ad56d50f497c38fc14c1e315456c.png b/windows/security/threat-protection/microsoft-defender-atp/images/b6c7ad56d50f497c38fc14c1e315456c.png
new file mode 100644
index 0000000000..cb1009d9ab
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b6c7ad56d50f497c38fc14c1e315456c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b6d671b2f18b89d96c1c8e2ea1991242.png b/windows/security/threat-protection/microsoft-defender-atp/images/b6d671b2f18b89d96c1c8e2ea1991242.png
new file mode 100644
index 0000000000..168b4103a5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b6d671b2f18b89d96c1c8e2ea1991242.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b7b677c6b06dfa9a00223ec6c58685d6.png b/windows/security/threat-protection/microsoft-defender-atp/images/b7b677c6b06dfa9a00223ec6c58685d6.png
new file mode 100644
index 0000000000..f889ed6a06
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b7b677c6b06dfa9a00223ec6c58685d6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ba3d40399e1a6d09214ecbb2b341923f.png b/windows/security/threat-protection/microsoft-defender-atp/images/ba3d40399e1a6d09214ecbb2b341923f.png
new file mode 100644
index 0000000000..3effc79498
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ba3d40399e1a6d09214ecbb2b341923f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ba44cdb77e4781aa8b940fb83e3c21f7.png b/windows/security/threat-protection/microsoft-defender-atp/images/ba44cdb77e4781aa8b940fb83e3c21f7.png
new file mode 100644
index 0000000000..9d9988e39f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ba44cdb77e4781aa8b940fb83e3c21f7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bcd4920afadbc158f8d7de88c11096fb.png b/windows/security/threat-protection/microsoft-defender-atp/images/bcd4920afadbc158f8d7de88c11096fb.png
new file mode 100644
index 0000000000..cdf08c8f7b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bcd4920afadbc158f8d7de88c11096fb.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bd93e78b74c2660a0541af4690dd9485.png b/windows/security/threat-protection/microsoft-defender-atp/images/bd93e78b74c2660a0541af4690dd9485.png
new file mode 100644
index 0000000000..b30f65c374
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bd93e78b74c2660a0541af4690dd9485.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bdo-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bdo-logo.png
new file mode 100644
index 0000000000..d51d5e1ec8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bdo-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bettermobile-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bettermobile-logo.png
new file mode 100644
index 0000000000..03c731e2d6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bettermobile-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bf187f62ea1ae024d87a933cf97a00d3.png b/windows/security/threat-protection/microsoft-defender-atp/images/bf187f62ea1ae024d87a933cf97a00d3.png
new file mode 100644
index 0000000000..2bd24757a9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bf187f62ea1ae024d87a933cf97a00d3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bitdefender-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bitdefender-logo.png
new file mode 100644
index 0000000000..a04e552d0e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bitdefender-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bluehexagon-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bluehexagon-logo.png
new file mode 100644
index 0000000000..73c502b488
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bluehexagon-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/bluevoyant-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/bluevoyant-logo.png
new file mode 100644
index 0000000000..290da40140
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/bluevoyant-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png
new file mode 100644
index 0000000000..b7a63ecc3e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c1022b886c359a2969b9a3fea4bcc6ed.png b/windows/security/threat-protection/microsoft-defender-atp/images/c1022b886c359a2969b9a3fea4bcc6ed.png
new file mode 100644
index 0000000000..e0c1d3c59c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c1022b886c359a2969b9a3fea4bcc6ed.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c254c437d5bdb4c28df8b25ba0a5e4a2.png b/windows/security/threat-protection/microsoft-defender-atp/images/c254c437d5bdb4c28df8b25ba0a5e4a2.png
new file mode 100644
index 0000000000..f973186aa0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c254c437d5bdb4c28df8b25ba0a5e4a2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png b/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png
index 6e16d764c8..cdb053fdd9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png and b/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c9820a5ff84aaf21635c04a23a97ca93.png b/windows/security/threat-protection/microsoft-defender-atp/images/c9820a5ff84aaf21635c04a23a97ca93.png
new file mode 100644
index 0000000000..a33cc304f5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c9820a5ff84aaf21635c04a23a97ca93.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c9f85bba3e96d627fe00fc5a8363b83a.png b/windows/security/threat-protection/microsoft-defender-atp/images/c9f85bba3e96d627fe00fc5a8363b83a.png
new file mode 100644
index 0000000000..d01d4b01da
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c9f85bba3e96d627fe00fc5a8363b83a.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png
new file mode 100644
index 0000000000..7c2c572329
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png
new file mode 100644
index 0000000000..2b44054fc5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ce580aec080512d44a37ff8e82e5c2ac.png b/windows/security/threat-protection/microsoft-defender-atp/images/ce580aec080512d44a37ff8e82e5c2ac.png
new file mode 100644
index 0000000000..1b3179853c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ce580aec080512d44a37ff8e82e5c2ac.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png
new file mode 100644
index 0000000000..85d6d6dd51
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cf30438b5512ac89af1d11cbf35219a6.png b/windows/security/threat-protection/microsoft-defender-atp/images/cf30438b5512ac89af1d11cbf35219a6.png
new file mode 100644
index 0000000000..ac3ffa8237
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cf30438b5512ac89af1d11cbf35219a6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cloudsecuritycenter-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cloudsecuritycenter-logo.png
new file mode 100644
index 0000000000..743ebbe1d5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cloudsecuritycenter-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cloudsoc-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cloudsoc-logo.png
new file mode 100644
index 0000000000..745fe3da44
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cloudsoc-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/contoso-machine-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/contoso-machine-group.png
new file mode 100644
index 0000000000..954724e574
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/contoso-machine-group.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/corrata-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/corrata-logo.png
new file mode 100644
index 0000000000..be75af835c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/corrata-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/csis-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/csis-logo.png
new file mode 100644
index 0000000000..8c3037339e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/csis-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cybermdx-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cybermdx-logo.png
new file mode 100644
index 0000000000..90d32e2508
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cybermdx-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cybersponse-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cybersponse-logo.png
new file mode 100644
index 0000000000..dbe2849a0b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cybersponse-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cymulate-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cymulate-logo.png
new file mode 100644
index 0000000000..daa2aef8f8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cymulate-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cyren-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/cyren-logo.png
new file mode 100644
index 0000000000..155137e4fd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cyren-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/d0e0bee1e23464ab729191bbea5c2604.png b/windows/security/threat-protection/microsoft-defender-atp/images/d0e0bee1e23464ab729191bbea5c2604.png
new file mode 100644
index 0000000000..2f8b727669
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/d0e0bee1e23464ab729191bbea5c2604.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/d8254adf4bd30290f9a8a0c131830a1f.png b/windows/security/threat-protection/microsoft-defender-atp/images/d8254adf4bd30290f9a8a0c131830a1f.png
new file mode 100644
index 0000000000..82131ac913
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/d8254adf4bd30290f9a8a0c131830a1f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/db15f147dd959e872a044184711d7d46.png b/windows/security/threat-protection/microsoft-defender-atp/images/db15f147dd959e872a044184711d7d46.png
new file mode 100644
index 0000000000..a8cd37acf4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/db15f147dd959e872a044184711d7d46.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dc9f016cf649f8baaa89eaa0511ebb85.png b/windows/security/threat-protection/microsoft-defender-atp/images/dc9f016cf649f8baaa89eaa0511ebb85.png
new file mode 100644
index 0000000000..dd86cc8585
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dc9f016cf649f8baaa89eaa0511ebb85.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png
new file mode 100644
index 0000000000..e49c575125
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dd55405106da0dfc2f50f8d4525b01c8.png b/windows/security/threat-protection/microsoft-defender-atp/images/dd55405106da0dfc2f50f8d4525b01c8.png
new file mode 100644
index 0000000000..6e5f3fa9dc
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dd55405106da0dfc2f50f8d4525b01c8.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/de180771f31278a2a6225857f73caf0d.png b/windows/security/threat-protection/microsoft-defender-atp/images/de180771f31278a2a6225857f73caf0d.png
new file mode 100644
index 0000000000..89a9591408
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/de180771f31278a2a6225857f73caf0d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dell-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/dell-logo.png
new file mode 100644
index 0000000000..e8ebeabdda
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dell-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/delta-risk-activeeye-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/delta-risk-activeeye-logo.png
new file mode 100644
index 0000000000..eb5d7a2d36
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/delta-risk-activeeye-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/demisto-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/demisto-logo.png
new file mode 100644
index 0000000000..205a91f2a4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/demisto-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png
new file mode 100644
index 0000000000..2dd6492036
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png
new file mode 100644
index 0000000000..912ae2f634
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dxc-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/dxc-logo.png
new file mode 100644
index 0000000000..1ec8acb23e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dxc-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e1cc1e48ec9d5d688087b4d771e668d2.png b/windows/security/threat-protection/microsoft-defender-atp/images/e1cc1e48ec9d5d688087b4d771e668d2.png
new file mode 100644
index 0000000000..d730bb042b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e1cc1e48ec9d5d688087b4d771e668d2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png
new file mode 100644
index 0000000000..741d4af9b9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e925142786fa5c0e9309fafc128a5ef7.png b/windows/security/threat-protection/microsoft-defender-atp/images/e925142786fa5c0e9309fafc128a5ef7.png
new file mode 100644
index 0000000000..f47188ab2e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e925142786fa5c0e9309fafc128a5ef7.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png b/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png
index 5fd6b06a58..e0aadcc880 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/eaba2a23dd34f73bf59e826217ba6f15.png b/windows/security/threat-protection/microsoft-defender-atp/images/eaba2a23dd34f73bf59e826217ba6f15.png
new file mode 100644
index 0000000000..790aae6d4d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/eaba2a23dd34f73bf59e826217ba6f15.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png
new file mode 100644
index 0000000000..2a5104b582
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png
new file mode 100644
index 0000000000..42273cd0d4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png
new file mode 100644
index 0000000000..a588c74aae
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/elastic-security-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/elastic-security-logo.png
new file mode 100644
index 0000000000..30352fe3b7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/elastic-security-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f504b2ae0a28a10778b0fa70378c355c.png b/windows/security/threat-protection/microsoft-defender-atp/images/f504b2ae0a28a10778b0fa70378c355c.png
new file mode 100644
index 0000000000..b4da9a44be
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f504b2ae0a28a10778b0fa70378c355c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f624de59b3cc86e3e2d32ae5de093e02.png b/windows/security/threat-protection/microsoft-defender-atp/images/f624de59b3cc86e3e2d32ae5de093e02.png
new file mode 100644
index 0000000000..314479f578
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f624de59b3cc86e3e2d32ae5de093e02.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f878f8efa5ebc92d069f4b8f79f62c7f.png b/windows/security/threat-protection/microsoft-defender-atp/images/f878f8efa5ebc92d069f4b8f79f62c7f.png
new file mode 100644
index 0000000000..7bf897ae75
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f878f8efa5ebc92d069f4b8f79f62c7f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f9c3bad127d636c1f150d79814f35d4c.png b/windows/security/threat-protection/microsoft-defender-atp/images/f9c3bad127d636c1f150d79814f35d4c.png
new file mode 100644
index 0000000000..8c99263f26
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/f9c3bad127d636c1f150d79814f35d4c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png b/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png
index d1f02b93a7..738869b471 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png and b/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fb2220fed3a530f4b3ef36f600da0c27.png b/windows/security/threat-protection/microsoft-defender-atp/images/fb2220fed3a530f4b3ef36f600da0c27.png
new file mode 100644
index 0000000000..b16f4b9326
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/fb2220fed3a530f4b3ef36f600da0c27.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png
new file mode 100644
index 0000000000..835c7fbd32
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png b/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png
index 2045d1c748..880d92d76a 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ibm-qradar-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/ibm-qradar-logo.png
new file mode 100644
index 0000000000..47a6790a6f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ibm-qradar-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-login1.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-login1.png
new file mode 100644
index 0000000000..4668be81df
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-login1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-configure-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-configure-profile.png
new file mode 100644
index 0000000000..879ecf9575
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-configure-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-dashboard.png
new file mode 100644
index 0000000000..c54729166f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-portal1.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-portal1.png
new file mode 100644
index 0000000000..a3f59fcea3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-portal1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-static-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-static-group.png
new file mode 100644
index 0000000000..062a297f8c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamf-pro-static-group.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-ca-certificate.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-ca-certificate.png
new file mode 100644
index 0000000000..89a3a9fa29
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-ca-certificate.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-configuration-policies.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-configuration-policies.png
new file mode 100644
index 0000000000..0c14cc2d3a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-configuration-policies.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-deployment-target.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-deployment-target.png
new file mode 100644
index 0000000000..c533d9000c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-deployment-target.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-download.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-download.png
new file mode 100644
index 0000000000..a3c7524472
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-download.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm-profile.png
new file mode 100644
index 0000000000..b543f8a02a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm.png
new file mode 100644
index 0000000000..4377bc50e3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-install-mdm.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mac-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mac-profile.png
new file mode 100644
index 0000000000..ea36ebff47
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mac-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-machine-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-machine-group.png
new file mode 100644
index 0000000000..eaea373077
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-machine-group.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-profile.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-profile.png
new file mode 100644
index 0000000000..bf5017bdbd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-profile.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-unverified.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-unverified.png
new file mode 100644
index 0000000000..0900e110f6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-mdm-unverified.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file-onboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file-onboard.png
new file mode 100644
index 0000000000..76b784f0fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file-onboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file.png
new file mode 100644
index 0000000000..b3e820638e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-upload.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-upload.png
new file mode 100644
index 0000000000..62422eaa2d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist-upload.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist.png
new file mode 100644
index 0000000000..53fd89f311
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-plist.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-policies.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-policies.png
new file mode 100644
index 0000000000..bf7d34f9d9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-policies.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-scope-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-scope-tab.png
new file mode 100644
index 0000000000..5850b5fc1f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-scope-tab.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-settings.png
new file mode 100644
index 0000000000..8c390217ba
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-settings.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-computer.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-computer.png
new file mode 100644
index 0000000000..0f85e9a99d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-computer.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-group.png
new file mode 100644
index 0000000000..6073a576d5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-group.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-selected.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-selected.png
new file mode 100644
index 0000000000..6bedad674d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-target-selected.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-targets.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-targets.png
new file mode 100644
index 0000000000..75eb399e74
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-targets.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-upload-plist.png b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-upload-plist.png
new file mode 100644
index 0000000000..b8c139d6f7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/jamfpro-upload-plist.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lookout-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/lookout-logo.png
new file mode 100644
index 0000000000..7d3c2f51e4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/lookout-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-approval.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-approval.png
new file mode 100644
index 0000000000..e82a6f0dce
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-approval.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-fda.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-fda.png
new file mode 100644
index 0000000000..fe52985647
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-fda.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png
new file mode 100644
index 0000000000..d2f1c35a83
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-pref.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-pref.png
new file mode 100644
index 0000000000..1b8a3df4ca
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-pref.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mda-addandroidstoreapp.png b/windows/security/threat-protection/microsoft-defender-atp/images/mda-addandroidstoreapp.png
new file mode 100644
index 0000000000..898b158eb2
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mda-addandroidstoreapp.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mda-addappinfo.png b/windows/security/threat-protection/microsoft-defender-atp/images/mda-addappinfo.png
new file mode 100644
index 0000000000..8ce56b5bd0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mda-addappinfo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mda-devicesafe.png b/windows/security/threat-protection/microsoft-defender-atp/images/mda-devicesafe.png
new file mode 100644
index 0000000000..3b8e7507b6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mda-devicesafe.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png b/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png
new file mode 100644
index 0000000000..9a1f5ba312
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mda-properties.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/misp-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/misp-logo.png
new file mode 100644
index 0000000000..39c75e6b09
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/misp-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/morphisec-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/morphisec-logo.png
new file mode 100644
index 0000000000..a0a63ce9d6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/morphisec-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-logo.png
new file mode 100644
index 0000000000..c28a05a8ba
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ms-flow-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nextron-thor-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/nextron-thor-logo.png
new file mode 100644
index 0000000000..e0b5860da6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/nextron-thor-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ntt-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/ntt-logo.png
new file mode 100644
index 0000000000..9dc4f32e3c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ntt-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-macos.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-macos.png
new file mode 100644
index 0000000000..e0cbad4ba1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-macos.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/paloalto-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/paloalto-logo.png
new file mode 100644
index 0000000000..fbd16e8c9c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/paloalto-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/plist-onboarding-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/plist-onboarding-file.png
new file mode 100644
index 0000000000..6c87d56c5f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/plist-onboarding-file.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/rapid7-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/rapid7-logo.png
new file mode 100644
index 0000000000..9683cf58e0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/rapid7-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/redcanary-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/redcanary-logo.png
new file mode 100644
index 0000000000..dd97b57c10
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/redcanary-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/rsa-netwitness-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/rsa-netwitness-logo.png
new file mode 100644
index 0000000000..b590724e54
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/rsa-netwitness-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/safebreach-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/safebreach-logo.png
new file mode 100644
index 0000000000..63a7f90e35
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/safebreach-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secureworks-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/secureworks-logo.png
new file mode 100644
index 0000000000..631e156cd1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secureworks-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sentinel-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/sentinel-logo.png
new file mode 100644
index 0000000000..f48e0a6b9c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sentinel-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/sepago-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/sepago-logo.png
new file mode 100644
index 0000000000..6aea4a45f8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/sepago-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/servicenow-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/servicenow-logo.png
new file mode 100644
index 0000000000..0c9f72b10a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/servicenow-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/skybox-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/skybox-logo.png
new file mode 100644
index 0000000000..dcb39ef9bb
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/skybox-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/splunk-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/splunk-logo.png
new file mode 100644
index 0000000000..925f90b44b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/splunk-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/swimlane-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/swimlane-logo.png
new file mode 100644
index 0000000000..dfb025884c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/swimlane-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/symantec-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/symantec-logo.png
new file mode 100644
index 0000000000..856c312fcd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/symantec-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png
new file mode 100644
index 0000000000..8106b9e665
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-analyst-report.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-mitigations.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-mitigations.png
new file mode 100644
index 0000000000..4aea3eea5a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-mitigations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta-overview.png
new file mode 100644
index 0000000000..e246a0d3da
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta.png
deleted file mode 100644
index 42a386d71f..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png
deleted file mode 100644
index 374a1e58b2..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/threat-analytics-report.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/threatconnect-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/threatconnect-logo.png
new file mode 100644
index 0000000000..f06fcc7589
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/threatconnect-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/trustwave-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/trustwave-logo.png
new file mode 100644
index 0000000000..f92fc87efe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/trustwave-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/vectra-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/vectra-logo.png
new file mode 100644
index 0000000000..a7b6dbc9a9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/vectra-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wortell-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/wortell-logo.png
new file mode 100644
index 0000000000..ab1cf389fe
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/wortell-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/xmcyber-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/xmcyber-logo.png
new file mode 100644
index 0000000000..791edfa7ef
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/xmcyber-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/zimperium-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/zimperium-logo.png
new file mode 100644
index 0000000000..5f5451d743
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/zimperium-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ztap-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/ztap-logo.png
new file mode 100644
index 0000000000..6a61fa3d9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ztap-logo.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index f5439add6d..ad7c9cbaa9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -1,57 +1,50 @@
---
title: Import, export, and deploy exploit protection configurations
-keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
-description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration.
+description: Use Group Policy to deploy mitigations configuration.
+keywords: Exploit protection, mitigations, import, export, configure, convert, conversion, deploy, install
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
-ms.date: 04/30/2018
ms.reviewer:
manager: dansimp
---
# Import, export, and deploy exploit protection configurations
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md)
-Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+Exploit protection helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection.
+You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network. Then, they all have the same set of mitigation settings.
-You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network so they all have the same set of mitigation settings.
-
-You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML.
-
-This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-
-The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an [Enhanced Mitigation Experience Toolkit (no longer supported)](https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit) configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and review the settings in the Windows Security app.
## Create and export a configuration file
-Before you export a configuration file, you need to ensure you have the correct settings.
+Before you export a configuration file, you need to ensure you have the correct settings. First, configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for more information about configuring mitigations.
-You should first configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
-
-When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
+When you've configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
### Use the Windows Security app to export a configuration file
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar. Or, search the start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**:
-3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
+3. At the bottom of the **Exploit protection** section, select **Export settings**. Choose the location and name of the XML file where you want the configuration to be saved.
> [!IMPORTANT]
> If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
@@ -63,7 +56,7 @@ When you have configured exploit protection to your desired state (including bot
### Use PowerShell to export a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
@@ -74,7 +67,7 @@ When you have configured exploit protection to your desired state (including bot
Example command:
- **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
+ `Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml`
> [!IMPORTANT]
> When you deploy the configuration using Group Policy, all devices that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
@@ -87,7 +80,7 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
@@ -98,41 +91,11 @@ After importing, the settings will be instantly applied and can be reviewed in t
Example command:
- **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
+ `Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml`
> [!IMPORTANT]
>
-> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-
-## Convert an EMET configuration file to an exploit protection configuration file
-
-You can convert an existing EMET configuration file to the new format used by exploit protection. You must do this if you want to import an EMET configuration into exploit protection in Windows 10.
-
-You can only do this conversion in PowerShell.
-
-> [!WARNING]
->
-> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
->
-> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
->
-> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
-2. Enter the following cmdlet:
-
- ```PowerShell
- ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
- ```
-
- Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
-
-> [!IMPORTANT]
->
-> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
->
-> 1. Open the PowerShell-converted XML file in a text editor.
-> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
+> Ensure you import a configuration file that is created specifically for exploit protection.
## Manage or deploy a configuration
@@ -143,29 +106,28 @@ You can use Group Policy to deploy the configuration you've created to multiple
### Use Group Policy to distribute the configuration
-1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
-4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
+4. Double-click **Use a common set of Exploit protection settings** and set the option to **Enabled**.
-5. In the **Options::** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
+5. In the **Options:** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
- * C:\MitigationSettings\Config.XML
- * \\\Server\Share\Config.xml
- * https://localhost:8080/Config.xml
- * C:\ExploitConfigfile.xml
+ * `C:\MitigationSettings\Config.XML`
+ * `\\Server\Share\Config.xml`
+ * `https://localhost:8080/Config.xml`
+ * `C:\ExploitConfigfile.xml`
-6. Click **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
+6. Select **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
-## Related topics
+## See also
-* [Protect devices from exploits](exploit-protection.md)
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
-* [Evaluate exploit protection](evaluate-exploit-protection.md)
-* [Enable exploit protection](enable-exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Protect devices from exploits](exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
index a60e510583..cfff5ce687 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
@@ -20,6 +20,9 @@ ms.topic: article
# Create indicators based on certificates
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -38,7 +41,7 @@ It's important to understand the following requirements prior to creating indica
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later.
+- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- The virus and threat protection definitions must be up-to-date.
- This feature currently supports entering .CER or .PEM file extensions.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
index c3312ea5e8..8a5a15bf39 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
@@ -20,6 +20,9 @@ ms.topic: article
# Create indicators for files
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -37,7 +40,7 @@ It's important to understand the following prerequisites prior to creating indic
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later.
+- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
@@ -76,4 +79,4 @@ Files automatically blocked by an indicator won't show up in the file's Action c
- [Create indicators](manage-indicators.md)
- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
- [Create indicators based on certificates](indicator-certificates.md)
-- [Manage indicators](indicator-manage.md)
\ No newline at end of file
+- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
index 90e188b28e..4769eb6666 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
@@ -1,4 +1,4 @@
----
+---
title: Create indicators for IPs and URLs/domains
ms.reviewer:
description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities.
@@ -20,6 +20,9 @@ ms.topic: article
# Create indicators for IPs and URLs/domains
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -46,6 +49,7 @@ It's important to understand the following prerequisites prior to creating indic
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
> NOTE:
>- IP is supported for all three protocols
+>- Only single IP addresses are supported (no CIDR blocks or IP ranges)
>- Encrypted URLs (full path) can only be blocked on first party browsers
>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers
>- Full URL path blocks can be applied on the domain level and all unencrypted URLs
@@ -59,7 +63,7 @@ It's important to understand the following prerequisites prior to creating indic
2. Select the **IP addresses or URLs/Domains** tab.
-3. Select **Add indicator**.
+3. Select **Add item**.
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
@@ -72,4 +76,4 @@ It's important to understand the following prerequisites prior to creating indic
- [Create indicators](manage-indicators.md)
- [Create indicators for files](indicator-file.md)
- [Create indicators based on certificates](indicator-certificates.md)
-- [Manage indicators](indicator-manage.md)
\ No newline at end of file
+- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
index 2c3ba958b9..54d2c70de6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
@@ -20,6 +20,9 @@ ms.topic: article
# Manage indicators
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
index 0c80426a9f..17b7c51fcd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Information protection in Windows overview
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
index b3c0ba3d56..4c595bdec5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
@@ -18,6 +18,9 @@ ms.topic: article
# Use sensitivity labels to prioritize incident response
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -59,4 +62,4 @@ Learn how to use data sensitivity labels to prioritize incident investigation.
>[!TIP]
->These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
\ No newline at end of file
+>These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
index e8685bb77b..f464c54bde 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
@@ -18,6 +18,9 @@ ms.topic: article
# Start Investigation API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index f4d0a71105..892f860dff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Investigate Microsoft Defender Advanced Threat Protection alerts
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
index 4bace3c6df..0738fd810b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@@ -1,6 +1,6 @@
---
title: Investigate connection events that occur behind forward proxies
-description: Investigate connection events that occur behind forward proxies
+description: Learn how to use advanced HTTP level monitoring through network protection in Microsoft Defender ATP, which surfaces a real target, instead of a proxy.
keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -19,6 +19,9 @@ ms.topic: article
# Investigate connection events that occur behind forward proxies
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
index 3ab170260a..65739231df 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
@@ -19,6 +19,9 @@ ms.date: 04/24/2018
---
# Investigate a domain associated with a Microsoft Defender ATP alert
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
index ee59109437..0c25dc5114 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Investigate a file associated with a Microsoft Defender ATP alert
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
index 1bdc888c78..2c7b5a46cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
@@ -19,6 +19,9 @@ ms.topic: article
# Investigate incidents in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -83,4 +86,4 @@ You can click the circles on the incident graph to view the details of the malic
## Related topics
- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
- [Investigate incidents in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents)
-- [Manage Microsoft Defender ATP incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents)
\ No newline at end of file
+- [Manage Microsoft Defender ATP incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
index 81a124863d..5bcdb3f2c1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
@@ -20,6 +20,9 @@ ms.date: 04/24/2018
# Investigate an IP address associated with a Microsoft Defender ATP alert
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index bd6a081f9a..6e97ffcfa7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -19,6 +19,9 @@ ms.topic: article
# Investigate devices in the Microsoft Defender ATP Devices list
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
index 841262e0fe..dd1a9f6766 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
@@ -19,6 +19,9 @@ ms.date: 04/24/2018
---
# Investigate a user account in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
index 9b1015434d..6f499c34c0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
@@ -18,6 +18,9 @@ ms.topic: article
# Investigation resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -61,4 +64,4 @@ triggeringAlertId | String | The ID of the alert that triggered the investigatio
"computerDnsName": "desktop-test123",
"triggeringAlertId": "da637139127150012465_1011995739"
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md
new file mode 100644
index 0000000000..f775848c86
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md
@@ -0,0 +1,58 @@
+---
+title: Microsoft Defender ATP for iOS note on Privacy
+ms.reviewer:
+description: Describes the Microsoft Defender ATP for iOS Privacy
+keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: sunasing
+author: sunasing
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+hideEdit: true
+---
+
+# Microsoft Defender ATP for iOS note on Privacy
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+## What information can my organization see when I use Microsoft Defender ATP on iOS
+
+Your organization cannot see your personal information when you use Microsoft Defender ATP. Microsoft Defender ATP sends certain pieces of information from your device to the ATP portal, such as device threat level, device model, and serial number. Your organization uses this information to help protect you from web-based attacks.
+
+**What your organization can never see:**
+
+- Calling and web browsing history
+- Email and text messages
+- Contacts
+- Calendar
+- Passwords
+- Pictures, including what's in the photos app or camera roll
+- Files
+
+**What your organization can see:**
+
+- Malicious Connections that were blocked by Microsoft Defender ATP
+- Device model, like iPhone 11
+- Operating system and version, like iOS 12.0.1
+- Device name
+- Device serial number
+
+## VPN Usage
+
+Microsoft Defender ATP for iOS uses VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+
+## More on Privacy
+
+[More information about Privacy](https://aka.ms/mdatpiosmainprivacystatement)
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
new file mode 100644
index 0000000000..6969f1c941
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
@@ -0,0 +1,229 @@
+---
+title: Microsoft Defender ATP for iOS Application license terms
+ms.reviewer:
+description: Describes the Microsoft Defender ATP for iOS license terms
+keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: sunasing
+author: sunasing
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+hideEdit: true
+---
+
+# Microsoft Defender ATP for iOS application license terms
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
+
+These license terms ("Terms") are an agreement between Microsoft Corporation (or
+based on where you live, one of its affiliates) and you. Please read them. They
+apply to the application named above. These Terms also apply to any Microsoft
+
+- updates,
+
+- supplements,
+
+- Internet-based services, and
+
+- support services
+
+for this application, unless other terms accompany those items. If so, those
+terms apply.
+
+**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
+DO NOT USE THE APPLICATION.**
+
+**If you comply with these Terms, you have the perpetual rights below.**
+
+1. **INSTALLATION AND USE RIGHTS.**
+
+ 1. **Installation and Use.** You may install and use any number of copies
+ of this application on iOS enabled device or devices which you own
+ or control. You may use this application with your company's valid
+ subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
+ an online service that includes MDATP functionalities.
+
+ 2. **Updates.** Updates or upgrades to MDATP may be required for full
+ functionality. Some functionality may not be available in all countries.
+
+ 3. **Third Party Programs.** The application may include third party
+ programs that Microsoft, not the third party, licenses to you under this
+ agreement. Notices, if any, for the third-party program are included for
+ your information only.
+
+2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
+ Internet access, data transfer and other services per the terms of the data
+ service plan and any other agreement you have with your network operator due
+ to use of the application. You are solely responsible for any network
+ operator charges.
+
+3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
+ the application. It may change or cancel them at any time.
+
+ 1. Consent for Internet-Based or Wireless Services. The application may
+ connect to Internet-based wireless services. Your use of the application
+ operates as your consent to the transmission of standard device
+ information (including but not limited to technical information about
+ your device, system and application software, and peripherals) for
+ Internet-based or wireless services. If other terms are provided in
+ connection with your use of the services, those terms also apply.
+
+ - Data. Some online services require, or may be enhanced by, the
+ installation of local software like this one. At your, or your
+ admin's direction, this software may send data from a device to or
+ from an online service.
+
+ - Usage Data. Microsoft automatically collects usage and performance
+ data over the internet. This data will be used to provide and
+ improve Microsoft products and services and enhance your experience.
+ You may limit or control collection of some usage and performance
+ data through your device settings. Doing so may disrupt your use of
+ certain features of the application. For additional information on
+ Microsoft's data collection and use, see the [Online Services
+ Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
+
+ 2. Misuse of Internet-based Services. You may not use any Internet-based
+ service in any way that could harm it or impair anyone else's use of it
+ or the wireless network. You may not use the service to try to gain
+ unauthorized access to any service, data, account or network by any
+ means.
+
+4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
+ give to Microsoft, without charge, the right to use, share and commercialize
+ your feedback in any way and for any purpose. You also give to third
+ parties, without charge, any patent rights needed for their products,
+ technologies and services to use or interface with any specific parts of a
+ Microsoft software or service that includes the feedback. You will not give
+ feedback that is subject to a license that requires Microsoft to license its
+ software or documentation to third parties because we include your feedback
+ in them. These rights survive this agreement.
+
+5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
+ only gives you some rights to use the application. Microsoft reserves all
+ other rights. Unless applicable law gives you more rights despite this
+ limitation, you may use the application only as expressly permitted in this
+ agreement. In doing so, you must comply with any technical limitations in
+ the application that only allow you to use it in certain ways. You may not
+
+ - work around any technical limitations in the application;
+
+ - reverse engineer, decompile or disassemble the application, except and
+ only to the extent that applicable law expressly permits, despite this
+ limitation;
+
+ - make more copies of the application than specified in this agreement or
+ allowed by applicable law, despite this limitation;
+
+ - publish the application for others to copy;
+
+ - rent, lease or lend the application; or
+
+ - transfer the application or this agreement to any third party.
+
+6. **EXPORT RESTRICTIONS.** The application is subject to United States export
+ laws and regulations. You must comply with all domestic and international
+ export laws and regulations that apply to the application. These laws
+ include restrictions on destinations, end users and end use. For additional
+ information,
+ see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
+
+7. **SUPPORT SERVICES.** Because this application is "as is," we may not
+ provide support services for it. If you have any issues or questions about
+ your use of this application, including questions about your company's
+ privacy policy, please contact your company's admin. Do not contact the
+ application store, your network operator, device manufacturer, or Microsoft.
+ The application store provider has no obligation to furnish support or
+ maintenance with respect to the application.
+
+8. **APPLICATION STORE.**
+
+ 1. If you obtain the application through an application store (e.g., App
+ Store), please review the applicable application store terms to ensure
+ your download and use of the application complies with such terms.
+ Please note that these Terms are between you and Microsoft and not with
+ the application store.
+
+ 2. The respective application store provider and its subsidiaries are third
+ party beneficiaries of these Terms, and upon your acceptance of these
+ Terms, the application store provider(s) will have the right to directly
+ enforce and rely upon any provision of these Terms that grants them a
+ benefit or rights.
+
+9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
+ Microsoft 365 are registered or common-law trademarks of Microsoft
+ Corporation in the United States and/or other countries.
+
+10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
+ Internet-based services, and support services that you use are the entire
+ agreement for the application and support services.
+
+11. **APPLICABLE LAW.**
+
+ 1. **United States.** If you acquired the application in the United States,
+ Washington state law governs the interpretation of this agreement and
+ applies to claims for breach of it, regardless of conflict of laws
+ principles. The laws of the state where you live govern all other
+ claims, including claims under state consumer protection laws, unfair
+ competition laws, and in tort.
+
+ 2. **Outside the United States.** If you acquired the application in any
+ other country, the laws of that country apply.
+
+12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
+ have other rights under the laws of your country. You may also have rights
+ with respect to the party from whom you acquired the application. This
+ agreement does not change your rights under the laws of your country if the
+ laws of your country do not permit it to do so.
+
+13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
+ FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
+ WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
+ EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
+ EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
+ APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+ APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
+ ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
+ CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
+ THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NON-INFRINGEMENT.**
+
+ **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
+
+14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
+ PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
+ ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
+ DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
+ INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
+
+This limitation applies to:
+
+- anything related to the application, services, content (including code) on
+ third party Internet sites, or third party programs; and
+
+- claims for breach of contract, warranty, guarantee or condition; consumer
+ protection; deception; unfair competition; strict liability, negligence,
+ misrepresentation, omission, trespass or other tort; violation of statute or
+ regulation; or unjust enrichment; all to the extent permitted by applicable
+ law.
+
+It also applies even if:
+
+a. Repair, replacement or refund for the application does not fully compensate
+ you for any losses; or
+
+b. Covered Parties knew or should have known about the possibility of the
+ damages.
+
+The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index ca9dbdfdd3..c16a3f2448 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -1,6 +1,6 @@
---
title: Isolate machine API
-description: Use this API to create calls related isolating a device.
+description: Learn how to use the Isolate machine API to isolate a device from accessing external network in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, isolate device
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Isolate machine API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -84,13 +87,13 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```console
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
Content-type: application/json
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}
-
+```
- To unisolate a device, see [Release device from isolation](unisolate-machine.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
index 3c07af2507..9ad7e0b073 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Configure and validate exclusions for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -43,7 +46,7 @@ Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the device | `.test`
File | A specific file identified by the full path | `/var/log/test.log` `/var/log/*.log` `/var/log/install.?.log`
-Folder | All files under the specified folder | `/var/log/` `/var/*/`
+Folder | All files under the specified folder (recursively) | `/var/log/` `/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat` `cat` `c?t`
File, folder, and process exclusions support the following wildcards:
@@ -64,36 +67,56 @@ For more information on how to configure exclusions from Puppet, Ansible, or ano
Run the following command to see the available switches for managing exclusions:
```bash
-$ mdatp exclusion
+mdatp exclusion
```
+> [!TIP]
+> When configuring exclusions with wildcards, enclose the parameter in double-quotes to prevent globbing.
+
Examples:
- Add an exclusion for a file extension:
```bash
- $ mdatp exclusion extension add --name .txt
+ mdatp exclusion extension add --name .txt
+ ```
+ ```Output
Extension exclusion configured successfully
```
- Add an exclusion for a file:
```bash
- $ mdatp exclusion file add --path /var/log/dummy.log
+ mdatp exclusion file add --path /var/log/dummy.log
+ ```
+ ```Output
File exclusion configured successfully
```
- Add an exclusion for a folder:
```bash
- $ mdatp exclusion folder add --path /var/log/
+ mdatp exclusion folder add --path /var/log/
+ ```
+ ```Output
+ Folder exclusion configured successfully
+ ```
+
+- Add an exclusion for a folder with a wildcard in it:
+
+ ```bash
+ mdatp exclusion folder add --path "/var/*/"
+ ```
+ ```Output
Folder exclusion configured successfully
```
- Add an exclusion for a process:
```bash
- $ mdatp exclusion process add --name cat
+ mdatp exclusion process add --name cat
+ ```
+ ```Output
Process exclusion configured successfully
```
@@ -104,7 +127,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
-$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
+curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
@@ -116,3 +139,25 @@ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > te
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
+
+## Allow threats
+
+In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
+
+To add a threat name to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name [threat-name]
+```
+
+The threat name associated with a detection on your device can be obtained using the following command:
+
+```bash
+mdatp threat list
+```
+
+For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index 0ac4cc8574..157c193e75 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Deploy Microsoft Defender ATP for Linux manually
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -71,7 +74,7 @@ In order to preview new features and provide early feedback, it is recommended t
sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
```
-- Install `yum-utils` if it is not already installed:
+- Install `yum-utils` if it isn't installed yet:
```bash
sudo yum install yum-utils
@@ -107,13 +110,13 @@ In order to preview new features and provide early feedback, it is recommended t
### Ubuntu and Debian systems
-- Install `curl` if it is not already installed:
+- Install `curl` if it isn't installed yet:
```bash
sudo apt-get install curl
```
-- Install `libplist-utils` if it is not already installed:
+- Install `libplist-utils` if it isn't installed yet:
```bash
sudo apt-get install libplist-utils
@@ -177,14 +180,17 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
# list all repositories
- $ yum repolist
+ yum repolist
+ ```
+ ```Output
...
packages-microsoft-com-prod packages-microsoft-com-prod 316
packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2
...
-
+ ```
+ ```bash
# install the package from the production repository
- $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
+ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
```
- SLES and variants:
@@ -196,16 +202,18 @@ In order to preview new features and provide early feedback, it is recommended t
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
```bash
- # list all repositories
- $ zypper repos
+ zypper repos
+ ```
+
+ ```Output
...
# | Alias | Name | ...
XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
XX | packages-microsoft-com-prod | microsoft-prod | ...
...
-
- # install the package from the production repository
- $ sudo zypper install packages-microsoft-com-prod:mdatp
+ ```
+ ```bash
+ sudo zypper install packages-microsoft-com-prod:mdatp
```
- Ubuntu and Debian system:
@@ -217,13 +225,14 @@ In order to preview new features and provide early feedback, it is recommended t
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
```bash
- # list all repositories
- $ cat /etc/apt/sources.list.d/*
+ cat /etc/apt/sources.list.d/*
+ ```
+ ```Output
deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
-
- # install the package from the production repository
- $ sudo apt -t bionic install mdatp
+ ```
+ ```bash
+ sudo apt -t bionic install mdatp
```
## Download the onboarding package
@@ -243,17 +252,19 @@ Download the onboarding package from Microsoft Defender Security Center:
ls -l
```
- `total 8`
- `-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip`
+ ```Output
+ total 8
+ -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
+ ```
```bash
unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
```
- `Archive: WindowsDefenderATPOnboardingPackage.zip`
- `inflating: WindowsDefenderATPOnboarding.py`
## Client configuration
@@ -320,4 +331,4 @@ When upgrading your operating system to a new major version, you must first unin
## Uninstallation
-See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
\ No newline at end of file
+See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
index 709b03a5e2..4e622f504d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
@@ -20,11 +20,14 @@ ms.topic: conceptual
# Deploy Microsoft Defender ATP for Linux with Ansible
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-This topic describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Ansible YAML files](#create-ansible-yaml-files)
@@ -33,12 +36,12 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
## Prerequisites and system requirements
-Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
-In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Please refer to the [Ansible documentation](https://docs.ansible.com/) for details.
+In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details.
-- Ansible needs to be installed on at least on one computer (we will call it the master).
-- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
+- Ansible needs to be installed on at least one computer (we will call it the primary computer).
+- SSH must be configured for an administrator account between the primary computer and all clients, and it is recommended be configured with public key authentication.
- The following software must be installed on all clients:
- curl
- python-apt
@@ -54,7 +57,7 @@ In addition, for Ansible deployment, you need to be familiar with Ansible admini
- Ping test:
```bash
- $ ansible -m ping all
+ ansible -m ping all
```
## Download the onboarding package
@@ -70,10 +73,16 @@ Download the onboarding package from Microsoft Defender Security Center:
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
- $ ls -l
+ ls -l
+ ```
+ ```Output
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- $ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
@@ -158,7 +167,9 @@ Create a subtask or role files that contribute to an playbook or task.
- For apt-based distributions use the following YAML file:
```bash
- $ cat install_mdatp.yml
+ cat install_mdatp.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
@@ -170,7 +181,9 @@ Create a subtask or role files that contribute to an playbook or task.
```
```bash
- $ cat uninstall_mdatp.yml
+ cat uninstall_mdatp.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- apt:
@@ -181,7 +194,9 @@ Create a subtask or role files that contribute to an playbook or task.
- For yum-based distributions use the following YAML file:
```bash
- $ cat install_mdatp_yum.yml
+ cat install_mdatp_yum.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
@@ -193,7 +208,9 @@ Create a subtask or role files that contribute to an playbook or task.
```
```bash
- $ cat uninstall_mdatp_yum.yml
+ cat uninstall_mdatp_yum.yml
+ ```
+ ```Output
- hosts: servers
tasks:
- yum:
@@ -208,7 +225,7 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Installation:
```bash
- $ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
+ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
```
> [!IMPORTANT]
@@ -217,14 +234,16 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Validation/configuration:
```bash
- $ ansible -m shell -a 'mdatp connectivity test' all
- $ ansible -m shell -a 'mdatp health' all
+ ansible -m shell -a 'mdatp connectivity test' all
+ ```
+ ```bash
+ ansible -m shell -a 'mdatp health' all
```
- Uninstallation:
```bash
- $ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
+ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
```
## Log installation issues
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
index ef1aa769a6..a89c89272b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
@@ -20,11 +20,14 @@ ms.topic: conceptual
# Deploy Microsoft Defender ATP for Linux with Puppet
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Puppet manifest](#create-a-puppet-manifest)
@@ -35,7 +38,7 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet
For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md).
-In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details.
+In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
## Download the onboarding package
@@ -47,13 +50,20 @@ Download the onboarding package from Microsoft Defender Security Center:
-4. From a command prompt, verify that you have the file. Extract the contents of the archive:
+4. From a command prompt, verify that you have the file.
```bash
- $ ls -l
+ ls -l
+ ```
+ ```Output
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- $ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+5. Extract the contents of the archive.
+ ```bash
+ unzip WindowsDefenderATPOnboardingPackage.zip
+ ```
+ ```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
@@ -62,13 +72,19 @@ Download the onboarding package from Microsoft Defender Security Center:
You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
-Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
+Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
```bash
-$ pwd
+pwd
+```
+```Output
/etc/puppetlabs/code/environments/production/modules
+```
-$ tree install_mdatp
+```bash
+tree install_mdatp
+```
+```Output
install_mdatp
├── files
│ └── mdatp_onboard.json
@@ -161,20 +177,24 @@ $version = undef
Include the above manifest in your site.pp file:
```bash
-$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp
+cat /etc/puppetlabs/code/environments/production/manifests/site.pp
+```
+```Output
node "default" {
include install_mdatp
}
```
-Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected.
+Enrolled agent devices periodically poll the Puppet Server and install new configuration profiles and policies as soon as they are detected.
## Monitor Puppet deployment
On the agent device, you can also check the onboarding status by running:
```bash
-$ mdatp health
+mdatp health
+```
+```Output
...
licensed : true
org_id : "[your organization identifier]"
@@ -200,7 +220,7 @@ The above command prints `1` if the product is onboarded and functioning as expe
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
-- 1 if the device is not yet onboarded.
+- 1 if the device isn't onboarded yet.
- 3 if the connection to the daemon cannot be established.
## Log installation issues
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
index 4e59ea8aad..22cebfbcda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Set preferences for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -29,7 +32,7 @@ ms.topic: conceptual
In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
-This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
+This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
## Configuration profile structure
@@ -141,7 +144,7 @@ Used to exclude content from the scan by file extension.
**Process excluded from the scan**
-Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
+Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (for example, `cat`) or full path (for example, `/bin/cat`).
|||
|:---|:---|
@@ -215,6 +218,28 @@ Specifies the merge policy for threat type settings. This can be a combination o
| **Possible values** | merge (default) admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+#### Antivirus scan history retention (in days)
+
+Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
+
+|||
+|:---|:---|
+| **Key** | scanResultsRetentionDays |
+| **Data type** | String |
+| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
+| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
+
+#### Maximum number of items in the antivirus scan history
+
+Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
+
+|||
+|:---|:---|
+| **Key** | scanHistoryMaximumItems |
+| **Data type** | String |
+| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
+| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
+
### Cloud-delivered protection preferences
The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
@@ -373,7 +398,7 @@ The following configuration profile contains entries for all settings described
The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
```bash
-$ python -m json.tool mdatp_managed.json
+python -m json.tool mdatp_managed.json
```
If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
index 448b784c40..e5d120eb83 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Privacy for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
index 415341d721..40ac81e1d0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -53,13 +56,13 @@ You can configure how PUA files are handled from the command line or from the ma
In Terminal, execute the following command to configure PUA protection:
```bash
-$ mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
+mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
```
### Use the management console to configure PUA protection:
-In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic.
+In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) article.
-## Related topics
+## Related articles
-- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)
\ No newline at end of file
+- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
index a038804f65..e79f91ce6c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -20,34 +20,44 @@ ms.topic: conceptual
# Resources
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
## Collect diagnostic information
-If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+If you can reproduce a problem, first increase the logging level, run the system for some time, and then restore the logging level to the default.
1. Increase logging level:
```bash
- $ mdatp log level set --level verbose
+ mdatp log level set --level verbose
+ ```
+ ```Output
Log level configured successfully
```
2. Reproduce the problem.
-3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
+3. Run the following command to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive.
```bash
- $ sudo mdatp diagnostic create
+ sudo mdatp diagnostic create
+ ```
+ This command will also print out the file path to the backup after the operation succeeds:
+ ```Output
Diagnostic file created:
```
4. Restore logging level:
```bash
- $ mdatp log level set --level info
+ mdatp log level set --level info
+ ```
+ ```Output
Log level configured successfully
```
@@ -59,7 +69,7 @@ The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you
## Uninstall
-There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool.
+There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
### Manual uninstallation
@@ -73,7 +83,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
### Global options
-By default, the command-line tool outputs the result in human-readable format. In addition to this, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
+By default, the command-line tool outputs the result in human-readable format. In addition, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
### Supported commands
@@ -91,6 +101,9 @@ The following table lists commands for some of the most common scenarios. Run `m
|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path [path-to-directory]` |
|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path [path-to-process]` `mdatp exclusion process [add|remove] --name [process-name]` |
|Configuration |List all antivirus exclusions |`mdatp exclusion list` |
+|Configuration |Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
+|Configuration |Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
+|Configuration |List all allowed threat names |`mdatp threat allowed list` |
|Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` |
|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
@@ -107,8 +120,8 @@ The following table lists commands for some of the most common scenarios. Run `m
|Quarantine management |List all quarantined files |`mdatp threat quarantine list` |
|Quarantine management |Remove all files from the quarantine |`mdatp threat quarantine remove-all` |
|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id [threat-id]` |
-|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine add --id [threat-id]` |
-|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine add --id [threat-id]` |
+|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` |
+|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` |
## Microsoft Defender ATP portal information
@@ -138,5 +151,5 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
```bash
- $ sudo SUSEConnect --status-text
- ```
\ No newline at end of file
+ sudo SUSEConnect --status-text
+ ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
index 0ac647a0b9..d2df9ea151 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Configure Microsoft Defender ATP for Linux for static proxy discovery
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -48,7 +51,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
```bash
- $ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
+ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
```
> [!NOTE]
@@ -56,7 +59,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
-Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take significantly longer due to network timeouts.
+Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take much longer due to network timeouts.
## Post installation configuration
@@ -73,5 +76,5 @@ After installation, the `HTTPS_PROXY` environment variable must be defined in th
After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
```bash
-$ systemctl daemon-reload; systemctl restart mdatp
+systemctl daemon-reload; systemctl restart mdatp
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
index f48ac979fd..81de10526e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
@@ -29,7 +32,7 @@ ms.topic: conceptual
To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```bash
-$ mdatp connectivity test
+mdatp connectivity test
```
If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
@@ -44,7 +47,7 @@ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https:
The output from this command should be similar to:
-```bash
+```Output
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
```
@@ -59,7 +62,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
```bash
-$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
@@ -78,17 +81,17 @@ Also ensure that the correct static proxy address is filled in to replace `addre
If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
```bash
-$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
+sudo systemctl daemon-reload; sudo systemctl restart mdatp
```
Upon success, attempt another connectivity test from the command line:
```bash
-$ mdatp connectivity test
+mdatp connectivity test
```
If the problem persists, contact customer support.
## Resources
-- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).
\ No newline at end of file
+- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
index d89a6593f9..5453c8c205 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
@@ -20,18 +20,24 @@ ms.topic: conceptual
# Troubleshoot installation issues for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
## Verify if installation succeeded
-An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
+An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
```bash
- $ sudo journalctl | grep 'microsoft-mdatp' > installation.log
- $ grep 'postinstall end' installation.log
-
+ sudo journalctl | grep 'microsoft-mdatp' > installation.log
+```
+```bash
+ grep 'postinstall end' installation.log
+```
+```Output
microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
```
@@ -44,8 +50,9 @@ Also check the [Client configuration](linux-install-manually.md#client-configura
Check if the mdatp service is running:
```bash
- $ systemctl status mdatp
-
+systemctl status mdatp
+```
+```Output
● mdatp.service - Microsoft Defender ATP
Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
@@ -61,41 +68,43 @@ Check if the mdatp service is running:
1. Check if "mdatp" user exists:
```bash
- $ id "mdatp"
+ id "mdatp"
```
If there’s no output, run
```bash
- $ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
+ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
```
2. Try enabling and restarting the service using:
```bash
- $ sudo systemctl enable mdatp
- $ sudo systemctl restart mdatp
+ sudo systemctl enable mdatp
```
-
-3. If mdatp.service isn't found upon running the previous command, run
```bash
- $ sudo cp /opt/microsoft/mdatp/conf/mdatp.service
-
- where is
- /lib/systemd/system for Ubuntu and Debian distributions
- /usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
+ sudo systemctl restart mdatp
```
- and then rerun step 2.
+
+3. If mdatp.service isn't found upon running the previous command, run:
+ ```bash
+ sudo cp /opt/microsoft/mdatp/conf/mdatp.service
+ ```
+ where `````` is
+ ```/lib/systemd/system``` for Ubuntu and Debian distributions and
+ ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES.
+Then rerun step 2.
4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
5. Ensure that the daemon has executable permission.
```bash
- $ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
-
+ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
+ ```
+ ```Output
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
```
If the daemon doesn't have executable permissions, make it executable using:
```bash
- $ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
+ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
```
and retry running step 2.
@@ -105,7 +114,7 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
1. Check the file system type using:
```bash
- $ findmnt -T
+ findmnt -T
```
Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
@@ -113,13 +122,15 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
```bash
- $ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
+ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
```
and try again.
If none of the above steps help, collect the diagnostic logs:
```bash
- $ sudo mdatp diagnostic create
+ sudo mdatp diagnostic create
+ ```
+ ```Output
Diagnostic file created:
```
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
index 5119c3afc3..e0c27b4a46 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
@@ -19,11 +19,14 @@ ms.topic: conceptual
# Troubleshoot performance issues for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
+This article provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
@@ -36,7 +39,9 @@ The following steps can be used to troubleshoot and mitigate these issues:
If your device is not managed by your organization, real-time protection can be disabled from the command line:
```bash
- $ mdatp config real-time-protection --value disabled
+ mdatp config real-time-protection --value disabled
+ ```
+ ```Output
Configuration property updated
```
@@ -50,26 +55,28 @@ The following steps can be used to troubleshoot and mitigate these issues:
This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
- $ mdatp config real-time-protection-statistics --value enabled
+ mdatp config real-time-protection-statistics --value enabled
```
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
```bash
- $ mdatp health --field real_time_protection_enabled
+ mdatp health --field real_time_protection_enabled
```
Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
```bash
- $ mdatp config real-time-protection --value enabled
+ mdatp config real-time-protection --value enabled
+ ```
+ ```Output
Configuration property updated
```
To collect current statistics, run:
```bash
- $ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
+ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
```
The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
index 50bbc417f9..adc018682b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Deploy updates for Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
index a35d6e6d1a..302d9c6717 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@@ -19,6 +19,13 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+## 101.04.76
+
+- Bug fixes
+
## 101.03.48
- Bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
index 49399fbe9f..68a0143833 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
@@ -1,6 +1,6 @@
---
title: Live response command examples
-description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used
+description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used.
keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -19,6 +19,9 @@ ms.topic: article
# Live response command examples
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
@@ -155,7 +158,7 @@ registry HKEY_CURRENT_USER\Console
```
# Show information about a specific registry value
-registry HKEY_CURRENT_USER\Console\\ScreenBufferSize
+registry HKEY_CURRENT_USER\Console\ScreenBufferSize
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 2a2e8465f2..35a1c20298 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -19,13 +19,16 @@ ms.topic: article
# Investigate entities on devices using live response
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — in real time.
+Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats—in real time.
-Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
+Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW]
@@ -98,7 +101,7 @@ The dashboard also gives you access to:
## Initiate a live response session on a device
-1. Log in to Microsoft Defender Security Center.
+1. Sign in to Microsoft Defender Security Center.
2. Navigate to the devices list page and select a device to investigate. The devices page opens.
@@ -112,6 +115,10 @@ The dashboard also gives you access to:
Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
+
+>[!NOTE]
+>Live response is a cloud-based interactive shell, as such, specific command experience may vary in response time depending on network quality and system load between the end user and the target device.
+
### Basic commands
The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
@@ -137,7 +144,7 @@ drivers | Shows all drivers installed on the device. |
|`trace` | Sets the terminal's logging mode to debug. |
### Advanced commands
-The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see [Create and manage roles](user-roles.md).
+The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
| Command | Description |
|---|---|
@@ -201,7 +208,7 @@ You can have a collection of PowerShell scripts that can run on devices that you
4. Specify if you'd like to overwrite a file with the same name.
-5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
+5. If you'd like to be, know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
6. Click **Confirm**.
@@ -220,7 +227,7 @@ Some commands have prerequisite commands to run. If you don't run the prerequisi
You can use the auto flag to automatically run prerequisite commands, for example:
-```
+```console
getfile c:\Users\user\Desktop\work.txt -auto
```
@@ -269,7 +276,7 @@ Live response supports output piping to CLI and file. CLI is the default output
Example:
-```
+```console
processes > output.txt
```
@@ -285,7 +292,7 @@ Each command is tracked with full details such as:
## Limitations
- Live response sessions are limited to 10 live response sessions at a time.
-- Large scale command execution is not supported.
+- Large-scale command execution is not supported.
- A user can only initiate one session at a time.
- A device can only be in one session at a time.
- The following file size limits apply:
@@ -295,11 +302,3 @@ Each command is tracked with full details such as:
## Related article
- [Live response command examples](live-response-command-examples.md)
-
-
-
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
index c0fe9490e6..2399987032 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Configure and validate exclusions for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -43,7 +46,7 @@ Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | `.test`
File | A specific file identified by the full path | `/var/log/test.log` `/var/log/*.log` `/var/log/install.?.log`
-Folder | All files under the specified folder | `/var/log/` `/var/*/`
+Folder | All files under the specified folder (recursively) | `/var/log/` `/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat` `cat` `c?t`
File, folder, and process exclusions support the following wildcards:
@@ -86,3 +89,25 @@ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > te
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
+
+## Allow threats
+
+In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
+
+To add a threat name to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name [threat-name]
+```
+
+The threat name associated with a detection on your device can be obtained using the following command:
+
+```bash
+mdatp threat list
+```
+
+For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
+
+```bash
+mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
new file mode 100644
index 0000000000..49c40a09a3
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
@@ -0,0 +1,44 @@
+---
+title: Log in to Jamf Pro
+description: Log in to Jamf Pro
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Log in to Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+1. Enter your credentials.
+
+ 
+
+2. Select **Computers**.
+
+ 
+
+3. You will see the settings that are available.
+
+ 
+
+
+## Next step
+[Setup the device groups in Jamf Pro](mac-jamfpro-device-groups.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
index 448468935d..daea53aa5e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Manual deployment for Microsoft Defender ATP for macOS
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index 2dd67831b1..17f2c90546 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Intune-based deployment for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
> [!NOTE]
> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices.
>The blog post [MEM simplifies deployment of Microsoft Defender ATP for macOS](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995) explains the new features. To configure the app, go to [Settings for Microsoft Defender ATP for Mac in Microsoft InTune](https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos). To deploy the app, go to [Add Microsoft Defender ATP to macOS devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index da1f94c851..f0d4ab8a8a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -1,7 +1,7 @@
---
-title: JAMF-based deployment for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender ATP for Mac, using JAMF.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
+title: Deploying Microsoft Defender ATP for macOS with Jamf Pro
+description: Deploying Microsoft Defender ATP for macOS with Jamf Pro
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -15,361 +15,27 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/10/2020
---
-# JAMF-based deployment for Microsoft Defender ATP for Mac
+# Deploying Microsoft Defender ATP for macOS with Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-This article describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
+Learn how to deploy Microsoft Defender ATP for macOS with Jamf Pro.
-1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-1. [Create JAMF policies](#create-jamf-policies)
-1. [Client device setup](#client-device-setup)
-1. [Deployment](#deployment)
-1. [Check onboarding status](#check-onboarding-status)
+This is a multi step process. You'll need to complete all of the following steps:
-## Prerequisites and system requirements
+- [Login to the Jamf Portal](mac-install-jamfpro-login.md)
+- [Setup the Microsoft Defender ATP for macOS device groups in Jamf Pro](mac-jamfpro-device-groups.md)
+- [Setup the Microsoft Defender ATP for macOS policies in Jamf Pro](mac-jamfpro-policies.md)
+- [Enroll the Microsoft Defender ATP for macOS devices into Jamf Pro](mac-jamfpro-enroll-devices.md)
-Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
-In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow.
-## Overview
-The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via JAMF. More detailed steps are available below.
-| Step | Sample file names | BundleIdentifier |
-|-|-|-|
-| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
-| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)
**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
-| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdav.tray |
-| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 |
-| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc |
-| [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A |
-
-## Download installation and onboarding packages
-
-Download the installation and onboarding packages from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device management > Onboarding**.
-2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
- 
-
- > [!NOTE]
- > Jamf falls under **Mobile Device Management**.
-
-3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
-4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-5. From the command prompt, verify that you have the two files.
-
- ```bash
- ls -l
- ```
- ```Output
- total 721160
- -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
- -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
- ```
-6. Extract the contents of the .zip files like so:
-
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
- inflating: intune/kext.xml
- inflating: intune/WindowsDefenderATPOnboarding.xml
- inflating: jamf/WindowsDefenderATPOnboarding.plist
- ```
-
-## Create JAMF policies
-
-You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client devices.
-
-### Configuration Profile
-
-The configuration profile contains a custom settings payload that includes the following:
-
-- Microsoft Defender ATP for Mac onboarding information
-- Approved Kernel Extensions payload to enable running the Microsoft kernel driver
-
-To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list.
-
-
- >[!IMPORTANT]
- > You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro).
-
-
-
-### Approved Kernel Extension
-
-To approve the kernel extension:
-
-1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**.
-2. Use **UBF8T346G9** for Team Id.
-
- 
-
-### Privacy Preferences Policy Control
-
-> [!CAUTION]
-> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
->
-> If you previously configured Microsoft Defender ATP through JAMF, we recommend applying the following configuration.
-
-Add the following JAMF policy to grant Full Disk Access to Microsoft Defender ATP.
-
-1. Select **Options > Privacy Preferences Policy Control**.
-2. Use any identifier and identifier type = Bundle.
-3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`.
-4. Set app or service to SystemPolicyAllFiles and access to Allow.
-
- 
-
-#### Configuration Profile's Scope
-
-Configure the appropriate scope to specify the devices that will receive the configuration profile.
-
-Open **Computers** > **Configuration Profiles**, and select **Scope > Targets**. From there, select the devices you want to target.
-
-
-
-Save the **Configuration Profile**.
-
-Use the **Logs** tab to monitor deployment status for each enrolled device.
-
-### Notification settings
-
-Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate configuration profile and assign it to all devices with Defender:
-
- ```xml
-
-
-
- PayloadContent
-
-
- NotificationSettings
-
-
- AlertType
- 2
- BadgesEnabled
-
- BundleIdentifier
- com.microsoft.autoupdate2
- CriticalAlertEnabled
- GroupingType
- 0
- NotificationsEnabled
-
- ShowInLockScreen
-
- ShowInNotificationCenter
-
- SoundsEnabled
-
-
-
- AlertType
- 2BadgesEnabled
- BundleIdentifier
- com.microsoft.wdav.tray
- CriticalAlertEnabled
- GroupingType
- 0
- NotificationsEnabled
- ShowInLockScreen
- ShowInNotificationCenter
- SoundsEnabled
-
-
-
- PayloadDescription
- PayloadDisplayName
- notifications
- PayloadEnabled
- PayloadIdentifier
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadOrganization
- Microsoft
- PayloadType
- com.apple.notificationsettings
- PayloadUUID
- BB977315-E4CB-4915-90C7-8334C75A7C64
- PayloadVersion
- 1
-
-
- PayloadDescription
- PayloadDisplayName
- mdatp - allow notifications
- PayloadEnabled
- PayloadIdentifier
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadOrganization
- Microsoft
- PayloadRemovalDisallowed
- PayloadScope
- System
- PayloadType
- Configuration
- PayloadUUID
- 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
- PayloadVersion
- 1
-
-
- ```
-
-### Package
-
-1. Create a package in **Settings > Computer Management > Packages**.
-
- 
-
-2. Upload the package to the Distribution Point.
-3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_.
-
-### Policy
-
-Your policy should contain a single package for Microsoft Defender.
-
-
-
-Configure the appropriate scope to specify the computers that will receive this policy.
-
-After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled device.
-
-## Client device setup
-
-You'll need no special provisioning for a macOS computer, beyond the standard JAMF Enrollment.
-
-> [!NOTE]
-> After a computer is enrolled, it will show up in the Computers inventory (All Computers).
-
- - Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile.
-
- 
- 
-
- After a moment, the device's User Approved MDM status will change to **Yes**.
-
- 
-
- You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages.
-
-## Deployment
-
-Enrolled client devices periodically poll the JAMF Server, and install new configuration profiles and policies as soon as they are detected.
-
-### Status on the server
-
-You can monitor deployment status in the **Logs** tab:
-
-- **Pending** means that the deployment is scheduled but has not yet happened
-- **Completed** means that the deployment succeeded and is no longer scheduled
-
-
-
-### Status on client device
-
-After the Configuration Profile is deployed, you'll see the profile for the device in **System Preferences** > **Profiles >**.
-
-
-
-Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner.
-
-
-
-You can monitor policy installation on a device by following the JAMF log file:
-
-```bash
- tail -f /var/log/jamf.log
-```
-
-```Output
- Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
- Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
- Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
- Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender...
- Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender.
- Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches...
- Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
-```
-
-You can also check the onboarding status:
-
-```bash
-mdatp --health
-```
-
-```Output
-...
-licensed : true
-orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
-...
-```
-
-- **licensed**: This confirms that the device has an ATP license.
-
-- **orgid**: Your Microsoft Defender ATP org id; it will be the same for your organization.
-
-## Check onboarding status
-
-You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
-
-```bash
-mdatp --health healthy
-```
-
-The above command prints "1" if the product is onboarded and functioning as expected.
-
-If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
-
-- 0 if the device is not yet onboarded
-- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running
-
-## Logging installation issues
-
-See [Logging installation issues](mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
-
-## Uninstallation
-
-This method is based on the script described in [Uninstalling](mac-resources.md#uninstalling).
-
-### Script
-
-Create a script in **Settings > Computer Management > Scripts**.
-
-This script removes Microsoft Defender ATP from the /Applications directory:
-
-```bash
- #!/bin/bash
-
- echo "Is WDAV installed?"
- ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
-
- echo "Uninstalling WDAV..."
- rm -rf '/Applications/Microsoft Defender ATP.app'
-
- echo "Is WDAV still installed?"
- ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
-
- echo "Done!"
-```
-
-
-
-### Policy
-
-Your policy should contain a single script:
-
-
-
-Configure the appropriate scope in the **Scope** tab to specify the devices that will receive this policy.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
index 29dbf4fa14..39ec2b13b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -53,17 +56,17 @@ Most MDM solutions use the same model for managing macOS devices, with similar t
### Package
-Configure deployment of a [required application package](mac-install-with-jamf.md#package),
-with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+Configure deployment of a [required application package](mac-install-with-jamf.md),
+with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
### License settings
-Set up [a system configuration profile](mac-install-with-jamf.md#configuration-profile).
+Set up [a system configuration profile](mac-install-with-jamf.md).
Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS.
-Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
@@ -76,4 +79,4 @@ Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to
## Check installation status
-Run [mdatp](mac-install-with-jamf.md#check-onboarding-status) on a client device to check the onboarding status.
+Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
new file mode 100644
index 0000000000..0c869e76e4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
@@ -0,0 +1,46 @@
+---
+title: Set up device groups in Jamf Pro
+description: Learn how to set up device groups in Jamf Pro for Microsoft Defender ATP for macOS
+keywords: device, group, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Set up Microsoft Defender ATP for macOS device groups in Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+Set up the device groups similar to Group policy organizational unite (OUs), Microsoft Endpoint Configuration Manager's device collection, and Intune's device groups.
+
+1. Navigate to **Static Computer Groups**.
+
+2. Select **New**.
+
+ 
+
+3. Provide a display name and select **Save**.
+
+ 
+
+4. Now you will see the **Contoso's Machine Group** under **Static Computer Groups**.
+
+ 
+
+## Next step
+- [Set up Microsoft Defender ATP for macOS policies in Jamf Pro](mac-jamfpro-policies.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
new file mode 100644
index 0000000000..fd353eceb3
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
@@ -0,0 +1,103 @@
+---
+title: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
+description: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+## Enroll macOS devices
+
+There are multiple methods of getting enrolled to JamF.
+
+This article will guide you on two methods:
+
+- [Method 1: Enrollment Invitations](#enrollment-method-1-enrollment-invitations)
+- [Method 2: Prestage Enrollments](#enrollment-method-2-prestage-enrollments)
+
+For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/casper-suite/administrator-guide/About_Computer_Enrollment.html).
+
+
+## Enrollment Method 1: Enrollment Invitations
+
+1. In the Jamf Pro dashboard, navigate to **Enrollment invitations**.
+
+ 
+
+2. Select **+ New**.
+
+ 
+
+3. In **Specify Recipients for the Invitation** > under **Email Addresses** enter the e-mail address(es) of the recipients.
+
+ 
+
+ 
+
+ For example: janedoe@contoso.com
+
+ 
+
+4. Configure the message for the invitation.
+
+ 
+
+ 
+
+ 
+
+ 
+
+## Enrollment Method 2: Prestage Enrollments
+
+1. In the Jamf Pro dashboard, navigate to **Prestage enrollments**.
+
+ 
+
+2. Follow the instructions in [Computer PreStage Enrollments](https://docs.jamf.com/9.9/casper-suite/administrator-guide/Computer_PreStage_Enrollments.html).
+
+## Enroll macOS device
+
+1. Select **Continue** and install the CA certificate from a **System Preferences** window.
+
+ 
+
+2. Once CA certificate is installed, return to the browser window and select **Continue** and install the MDM profile.
+
+ 
+
+3. Select **Allow** to downloads from JAMF.
+
+ 
+
+4. Select **Continue** to proceed with the MDM Profile installation.
+
+ 
+
+5. Select **Continue** to install the MDM Profile.
+
+ 
+
+6. Select **Continue** to complete the configuration.
+
+ 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
new file mode 100644
index 0000000000..19be21f34f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
@@ -0,0 +1,794 @@
+---
+title: Set up the Microsoft Defender ATP for macOS policies in Jamf Pro
+description: Learn how to set up the Microsoft Defender ATP for macOS policies in Jamf Pro
+keywords: policies, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Set up the Microsoft Defender ATP for macOS policies in Jamf Pro
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro.
+
+You'll need to take the following steps:
+
+1. [Get the Microsoft Defender ATP onboarding package](#step-1-get-the-microsoft-defender-atp-onboarding-package)
+
+2. [Create a configuration profile in Jamf Pro using the onboarding package](#step-2-create-a-configuration-profile-in-jamf-pro-using-the-onboarding-package)
+
+3. [Configure Microsoft Defender ATP settings](#step-3-configure-microsoft-defender-atp-settings)
+
+4. [Configure Microsoft Defender ATP notification settings](#step-4-configure-notifications-settings)
+
+5. [Configure Microsoft AutoUpdate (MAU)](#step-5-configure-microsoft-autoupdate-mau)
+
+6. [Grant full disk access to Microsoft Defender ATP](#step-6-grant-full-disk-access-to-microsoft-defender-atp)
+
+7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp)
+
+8. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
+
+9. [Deploy Microsoft Defender ATP for macOS](#step-9-deploy-microsoft-defender-atp-for-macos)
+
+
+## Step 1: Get the Microsoft Defender ATP onboarding package
+
+1. In [Microsoft Defender Security Center](https://securitycenter.microsoft.com ), navigate to **Settings > Onboarding**.
+
+2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.
+
+ 
+
+3. Select **Download onboarding package** (WindowsDefenderATPOnboardingPackage.zip).
+
+4. Extract `WindowsDefenderATPOnboardingPackage.zip`.
+
+5. Copy the file to your preferred location. For example, `C:\Users\JaneDoe_or_JohnDoe.contoso\Downloads\WindowsDefenderATPOnboardingPackage_macOS_MDM_contoso\jamf\WindowsDefenderATPOnboarding.plist`.
+
+
+## Step 2: Create a configuration profile in Jamf Pro using the onboarding package
+
+1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
+
+ 
+
+
+2. In the Jamf Pro dashboard, select **New**.
+
+ 
+
+3. Enter the following details:
+
+ **General**
+ - Name: MDATP onboarding for macOS
+ - Description: MDATP EDR onboarding for macOS
+ - Category: None
+ - Distribution Method: Install Automatically
+ - Level: Computer Level
+
+4. In **Application & Custom Settings** select **Configure**.
+
+ 
+
+5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
+
+ 
+
+ 
+
+7. Select **Open** and select the onboarding file.
+
+ 
+
+8. Select **Upload**.
+
+ 
+
+
+9. Select the **Scope** tab.
+
+ 
+
+10. Select the target computers.
+
+ 
+
+ 
+
+11. Select **Save**.
+
+ 
+
+ 
+
+12. Select **Done**.
+
+ 
+
+ 
+
+## Step 3: Configure Microsoft Defender ATP settings
+
+1. Use the following Microsoft Defender ATP configuration settings:
+
+ - enableRealTimeProtection
+ - passiveMode
+
+ >[!NOTE]
+ >Not turned on by default, if you are planning to run a third-party AV for macOS, set it to `true`.
+
+ - exclusions
+ - excludedPath
+ - excludedFileExtension
+ - excludedFileName
+ - exclusionsMergePolicy
+ - allowedThreats
+
+ >[!NOTE]
+ >EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.
+
+ - disallowedThreatActions
+ - potentially_unwanted_application
+ - archive_bomb
+ - cloudService
+ - automaticSampleSubmission
+ - tags
+ - hideStatusMenuIcon
+
+ For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile).
+
+```XML
+
+
+
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ passiveMode
+
+ exclusions
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /var/log/system.log
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /home
+
+
+ $type
+ excludedFileExtension
+ extension
+ pdf
+
+
+ $type
+ excludedFileName
+ name
+ cat
+
+
+ exclusionsMergePolicy
+ merge
+ allowedThreats
+
+ EICAR-Test-File (not a virus)
+
+ disallowedThreatActions
+
+ allow
+ restore
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+ threatTypeSettingsMergePolicy
+ merge
+
+ cloudService
+
+ enabled
+
+ diagnosticLevel
+ optional
+ automaticSampleSubmission
+
+
+ edr
+
+ tags
+
+
+ key
+ GROUP
+ value
+ ExampleTag
+
+
+
+ userInterface
+
+ hideStatusMenuIcon
+
+
+
+
+```
+
+2. Save the file as `MDATP_MDAV_configuration_settings.plist`.
+
+
+3. In the Jamf Pro dashboard, select **General**.
+
+ 
+
+4. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV configuration settings
+ - Description:\
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
+
+ 
+
+5. In **Application & Custom Settings** select **Configure**.
+
+ 
+
+6. Select **Upload File (PLIST file)**.
+
+ 
+
+7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**.
+
+ 
+
+8. Select **Choose File**.
+
+ 
+
+9. Select the **MDATP_MDAV_configuration_settings.plist**, then select **Open**.
+
+ 
+
+10. Select **Upload**.
+
+ 
+
+ 
+
+ >[!NOTE]
+ >If you happen to upload the Intune file, you'll get the following error:
+ >
+
+
+11. Select **Save**.
+
+ 
+
+12. The file is uploaded.
+
+ 
+
+ 
+
+13. Select the **Scope** tab.
+
+ 
+
+14. Select **Contoso's Machine Group**.
+
+15. Select **Add**, then select **Save**.
+
+ 
+
+ 
+
+16. Select **Done**. You'll see the new **Configuration profile**.
+
+ 
+
+
+## Step 4: Configure notifications settings
+
+These steps are applicable of macOS 10.15 (Catalina) or newer.
+
+1. Use the following Microsoft Defender ATP notification configuration settings:
+
+```xml
+
+
+
+ PayloadContent
+
+
+ NotificationSettings
+
+
+ AlertType
+ 2
+ BadgesEnabled
+
+ BundleIdentifier
+ com.microsoft.autoupdate2
+ CriticalAlertEnabled
+ GroupingType
+ 0
+ NotificationsEnabled
+
+ ShowInLockScreen
+
+ ShowInNotificationCenter
+
+ SoundsEnabled
+
+
+
+ AlertType
+ 2BadgesEnabled
+ BundleIdentifier
+ com.microsoft.wdav.tray
+ CriticalAlertEnabled
+ GroupingType
+ 0
+ NotificationsEnabled
+ ShowInLockScreen
+ ShowInNotificationCenter
+ SoundsEnabled
+
+
+
+ PayloadDescription
+ PayloadDisplayName
+ notifications
+ PayloadEnabled
+ PayloadIdentifier
+ BB977315-E4CB-4915-90C7-8334C75A7C64
+ PayloadOrganization
+ Microsoft
+ PayloadType
+ com.apple.notificationsettings
+ PayloadUUID
+ BB977315-E4CB-4915-90C7-8334C75A7C64
+ PayloadVersion
+ 1
+
+
+ PayloadDescription
+ PayloadDisplayName
+ mdatp - allow notifications
+ PayloadEnabled
+ PayloadIdentifier
+ 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
+ PayloadOrganization
+ Microsoft
+ PayloadRemovalDisallowed
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ 85F6805B-0106-4D23-9101-7F1DFD5EA6D6
+ PayloadVersion
+ 1
+
+
+ ```
+
+2. Save it as `MDATP_MDAV_notification_settings.plist`.
+
+3. In the Jamf Pro dashboard, select **General**.
+
+4. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV Notification settings
+ - Description: macOS 10.15 (Catalina) or newer
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
+
+ 
+
+
+5. Select **Upload File (PLIST file)**.
+
+ 
+
+
+6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
+
+
+ 
+
+
+ 
+
+7. Select **Open** > **Upload**.
+
+ 
+
+
+ 
+
+8. Select the **Scope** tab, then select **Add**.
+
+ 
+
+
+9. Select **Contoso's Machine Group**.
+
+10. Select **Add**, then select **Save**.
+
+ 
+
+
+ 
+
+11. Select **Done**. You'll see the new **Configuration profile**.
+ 
+
+## Step 5: Configure Microsoft AutoUpdate (MAU)
+
+1. Use the following Microsoft Defender ATP configuration settings:
+
+```XML
+
+
+
+
+ ChannelName
+ Production
+ HowToCheck
+ AutomaticDownload
+ EnableCheckForUpdatesButton
+
+ DisableInsiderCheckbox
+
+ SendAllTelemetryEnabled
+
+
+
+```
+
+2. Save it as `MDATP_MDAV_MAU_settings.plist`.
+
+3. In the Jamf Pro dashboard, select **General**.
+
+ 
+
+4. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV MAU settings
+ - Description: Microsoft AutoUpdate settings for MDATP for macOS
+ - Category: None (default)
+ - Distribution Method: Install Automatically(default)
+ - Level: Computer Level(default)
+
+5. In **Application & Custom Settings** select **Configure**.
+
+ 
+
+6. Select **Upload File (PLIST file)**.
+
+ 
+
+7. In **Preference Domain** enter: `com.microsoft.autoupdate2`, then select **Upload PLIST File**.
+
+ 
+
+8. Select **Choose File**.
+
+ 
+
+9. Select **MDATP_MDAV_MAU_settings.plist**.
+
+ 
+
+10. Select **Upload**.
+ 
+
+ 
+
+11. Select **Save**.
+
+ 
+
+12. Select the **Scope** tab.
+
+ 
+
+13. Select **Add**.
+
+ 
+
+ 
+
+ 
+
+14. Select **Done**.
+
+ 
+
+## Step 6: Grant full disk access to Microsoft Defender ATP
+
+1. In the Jamf Pro dashboard, select **Configuration Profiles**.
+
+ 
+
+2. Select **+ New**.
+
+3. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV - grant Full Disk Access to EDR and AV
+ - Description: On macOS Catalina or newer, the new Privacy Preferences Policy Control
+ - Category: None
+ - Distribution method: Install Automatically
+ - Level: Computer level
+
+
+ 
+
+4. In **Configure Privacy Preferences Policy Control** select **Configure**.
+
+ 
+
+5. In **Privacy Preferences Policy Control**, enter the following details:
+
+ - Identifier: `com.microsoft.wdav`
+ - Identifier Type: Bundle ID
+ - Code Requirement: identifier `com.microsoft.wdav` and anchor apple generic and
+certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate
+leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate
+leaf[subject.OU] = UBF8T346G9
+
+
+ 
+
+6. Select **+ Add**.
+
+ 
+
+
+ - Under App or service: Set to **SystemPolicyAllFiles**
+
+ - Under "access": Set to **Allow**
+
+7. Select **Save** (not the one at the bottom right).
+
+ 
+
+8. Select the **Scope** tab.
+
+ 
+
+ 9. Select **+ Add**.
+
+ 
+
+10. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
+
+ 
+
+11. Select **Add**.
+
+12. Select **Save**.
+
+13. Select **Done**.
+
+ 
+
+ 
+
+
+## Step 7: Approve Kernel extension for Microsoft Defender ATP
+
+1. In the **Configuration Profiles**, select **+ New**.
+
+ 
+
+2. Enter the following details:
+
+ **General**
+ - Name: MDATP MDAV Kernel Extension
+ - Description: MDATP kernel extension (kext)
+ - Category: None
+ - Distribution Method: Install Automatically
+ - Level: Computer Level
+
+ 
+
+3. In **Configure Approved Kernel Extensions** select **Configure**.
+
+ 
+
+
+
+4. In **Approved Kernel Extensions** Enter the following details:
+
+ - Display Name: Microsoft Corp.
+ - Team ID: UBF8T346G9
+
+ 
+
+5. Select the **Scope** tab.
+
+ 
+
+6. Select **+ Add**.
+
+7. Select **Computer Groups** > under **Group Name** > select **Contoso's Machine Group**.
+
+8. Select **+ Add**.
+
+ 
+
+9. Select **Save**.
+
+ 
+
+10. Select **Done**.
+
+ 
+
+
+## Step 8: Schedule scans with Microsoft Defender ATP for Mac
+Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
+
+## Step 9: Deploy Microsoft Defender ATP for macOS
+
+1. Navigate to where you saved `wdav.pkg`.
+
+ 
+
+2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
+
+ 
+
+3. Open the Jamf Pro dashboard.
+
+ 
+
+4. Navigate to **Advanced Computer Searches**.
+
+ 
+
+5. Select **Computer Management**.
+
+ 
+
+6. In **Packages**, select **+ New**.
+ 
+
+7. In **New Package** Enter the following details:
+
+ **General tab**
+ - Display Name: Leave it blank for now. Because it will be reset when you choose your pkg.
+ - Category: None (default)
+ - Filename: Choose File
+
+ 
+
+ Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`.
+
+ 
+
+8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
+
+ - Manifest File: Select **Upload Manifest File**.
+
+ **Options tab** Keep default values.
+
+ **Limitations tab** Keep default values.
+
+ 
+
+9. Select **Save**. The package is uploaded to Jamf Pro.
+ 
+
+ It can take a few minutes for the package to be available for deployment.
+ 
+
+10. Navigate to the **Policies** page.
+
+ 
+
+11. Select **+ New** to create a new policy.
+
+ 
+
+
+12. In **General** Enter the following details:
+
+ - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
+
+ 
+
+13. Select **Recurring Check-in**.
+
+ 
+
+
+14. Select **Save**.
+
+15. Select **Packages > Configure**.
+
+ 
+
+16. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
+
+ 
+
+17. Select **Save**.
+ 
+
+18. Select the **Scope** tab.
+ 
+
+19. Select the target computers.
+
+ 
+
+ **Scope**
+ Select **Add**.
+ 
+
+ 
+
+ **Self-Service**
+ 
+
+20. Select **Done**.
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index e2f79e5846..186304dde5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Set preferences for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -233,6 +236,30 @@ Specify the merge policy for threat type settings. This can be a combination of
| **Possible values** | merge (default) admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+#### Antivirus scan history retention (in days)
+
+Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | scanResultsRetentionDays |
+| **Data type** | String |
+| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
+| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. |
+
+#### Maximum number of items in the antivirus scan history
+
+Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
+
+|||
+|:---|:---|
+| **Domain** | `com.microsoft.wdav` |
+| **Key** | scanHistoryMaximumItems |
+| **Data type** | String |
+| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
+| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. |
+
### Cloud-delivered protection preferences
Configure the cloud-driven protection features of Microsoft Defender ATP for Mac.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
index 4cb8256cd5..5bb254d10c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Privacy for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
index 5fbcec859f..e13d95555f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Detect and block potentially unwanted applications with Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -62,4 +65,4 @@ In your enterprise, you can configure PUA protection from a management console,
## Related topics
-- [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md)
\ No newline at end of file
+- [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
index ef40ef4868..2aafa7220d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Resources for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -30,36 +33,31 @@ If you can reproduce a problem, increase the logging level, run the system for s
1. Increase logging level:
```bash
- mdatp --log-level verbose
+ mdatp log level set --level verbose
```
```Output
- Creating connection to daemon
- Connection established
- Operation succeeded
+ Log level configured successfully
```
2. Reproduce the problem
-3. Run `sudo mdatp --diagnostic --create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
+3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
```bash
- sudo mdatp --diagnostic --create
+ sudo mdatp diagnostic create
```
```Output
- Creating connection to daemon
- Connection established
+ Diagnostic file created: "/Library/Application Support/Microsoft/Defender/wdavdiag/932e68a8-8f2e-4ad0-a7f2-65eb97c0de01.zip"
```
4. Restore logging level:
```bash
- mdatp --log-level info
+ mdatp log level set --level info
```
```Output
- Creating connection to daemon
- Connection established
- Operation succeeded
+ Log level configured successfully
```
## Logging installation issues
@@ -85,27 +83,32 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Note that wh
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
-|Group |Scenario |Command |
-|-------------|-------------------------------------------|-----------------------------------------------------------------------|
-|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
-|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
-|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
-|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
-|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
-|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
-|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
-|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` |
-|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
-|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
-|Health |Check the product's health |`mdatp --health` |
-|Protection |Scan a path |`mdatp --scan --path [path]` |
-|Protection |Do a quick scan |`mdatp --scan --quick` |
-|Protection |Do a full scan |`mdatp --scan --full` |
-|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
-|Protection |Request a security intelligence update |`mdatp --definition-update` |
-|EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` OR `mdatp --edr --earlyPreview [true/false]` for versions earlier than 100.78.0 |
-|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
-|EDR |Remove group tag from device |`mdatp --edr --remove-tag [name]` |
+|Group |Scenario |Command |
+|-------------|-------------------------------------------|----------------------------------------------------------------------------------|
+|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` |
+|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` |
+|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` |
+|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` |
+|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
+|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
+|Configuration|List all allowed threat names |`mdatp threat allowed list` |
+|Configuration|Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action block` |
+|Configuration|Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action off` |
+|Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action audit` |
+|Configuration|Turn on/off passiveMode |`mdatp config passive-mode --value enabled [enabled/disabled]` |
+|Diagnostics |Change the log level |`mdatp log level set --level [error/warning/info/verbose]` |
+|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` |
+|Health |Check the product's health |`mdatp health` |
+|Health |Check for a spefic product attribute |`mdatp health --field [attribute: healthy/licensed/engine_version...]` |
+|Protection |Scan a path |`mdatp scan custom --path [path]` |
+|Protection |Do a quick scan |`mdatp scan quick` |
+|Protection |Do a full scan |`mdatp scan full` |
+|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
+|Protection |Request a security intelligence update |`mdatp definitions update` |
+|EDR |Turn on/off EDR preview for Mac |`mdatp edr early-preview [enabled/disabled]` |
+|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp edr tag set --name GROUP --value [name]` |
+|EDR |Remove group tag from device |`mdatp edr tag remove --tag-name [name]` |
+|EDR |Add Group Id |`mdatp edr group-ids --group-id [group]` |
### How to enable autocompletion
@@ -129,7 +132,7 @@ To enable autocompletion in `zsh`:
echo "autoload -Uz compinit && compinit" >> ~/.zshrc
```
-- Run the following command to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
+- Run the following commands to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
```zsh
sudo mkdir -p /usr/local/share/zsh/site-functions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
index 645b1ecce5..5fde32aab8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md
@@ -19,13 +19,20 @@ ms.topic: conceptual
# Schedule scans with Microsoft Defender ATP for Mac
-While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. Create a scanning schedule using launchd on a macOS computer.
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-## Schedule a scan with launchd
-1. Create a new .xml file. Use the following example to create your scanning schedule file.
+While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week.
- ```xml
+## Schedule a scan with *launchd*
+
+You can create a scanning schedule using the *launchd* daemon on a macOS device.
+
+1. The following code shows the schema you need to use to schedule a scan. Open a text editor and use this example as a guide for your own scheduled scan file.
+
+ For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website.
+
+ ```XML
@@ -60,22 +67,30 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
```
-2. Save the file as a program configuration file (.plist) with the name com.microsoft.wdav.schedquickscan.plist.
+2. Save the file as *com.microsoft.wdav.schedquickscan.plist*.
- >[!NOTE]
- >To change a quick scan to a full scan, use /usr/local/bin/mdatp --scan –full in the array string and update your .plist filename.
+ > [!TIP]
+ > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
-3. Search for, and then open **Terminal**.
-4. To load your file into **launchd**, enter the following commands:
+3. Open **Terminal**.
+4. Enter the following commands to load your file:
```bash
launchctl load /Library/LaunchDaemons/
- ```
- ```bash
launchctl start
```
-5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every seven days on a Friday, with the StartInterval using 604,800 seconds for one week.
+5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday.
- > [!NOTE]
- > Agents executed with launchd will not run at the scheduled time if the computer is asleep, but will run once the computer is awake. If the computer is off, the scan will not run until the computer is on at the next scheduled time.
+ Note that the `StartInterval` value is in seconds, indicating that scans should run every 604,800 seconds (one week), while the `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday.
+
+ > [!IMPORTANT]
+ > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode.
+ >
+ > If the device is turned off, the scan will run at the next scheduled scan time.
+
+## Schedule a scan with Intune
+
+You can also schedule scans with Microsoft Intune. The [runMDATPQuickScan.sh](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP#runmdatpquickscansh) shell script available at [Scripts for Microsoft Defender Advanced Threat Protection](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP) will persist when the device resumes from sleep mode.
+
+See [Use shell scripts on macOS devices in Intune](https://docs.microsoft.com/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
index 7c4e538f90..feb636fd2d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Troubleshoot installation issues for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
index e8edd981e3..f773e91875 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -49,7 +52,7 @@ The following sections provide guidance on how to address this issue, depending
See the instructions corresponding to the management tool that you used to deploy the product:
-- [JAMF-based deployment](mac-install-with-jamf.md#configuration-profile)
+- [JAMF-based deployment](mac-install-with-jamf.md)
- [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles)
## Manual deployment
@@ -95,4 +98,4 @@ In this case, you need to perform the following steps to trigger the approval fl
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
- ```
\ No newline at end of file
+ ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
index 77c330a95d..72cfd50ff0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Troubleshoot license issues for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
index 4bdc6a325d..04cfb43c25 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Troubleshoot performance issues for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
index 3cd6ef23e7..24c22d7bd0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
@@ -20,6 +20,9 @@ ROBOTS: noindex,nofollow
# New configuration profiles for macOS Catalina and newer versions of macOS
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.
If you have deployed Microsoft Defender ATP for Mac in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components.
@@ -279,3 +282,5 @@ To deploy this custom configuration profile:
+5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
+6. Review and create this configuration profile.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
new file mode 100644
index 0000000000..27ec242709
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
@@ -0,0 +1,150 @@
+---
+title: Microsoft Defender ATP for Mac - System Extensions (Public Preview)
+description: This article contains instructions for trying out the system extensions functionality of Microsoft Defender ATP for Mac. This functionality is currently in public preview.
+keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: security
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ROBOTS: noindex,nofollow
+---
+
+# Microsoft Defender ATP for Mac - System Extensions (Public Preview)
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.
+
+This functionality is currently in public preview. This article contains instructions for enabling this functionality on your device. You can choose to try out this feature locally on your own device or configure it remotely through a management tool.
+
+These steps assume you already have Microsoft Defender ATP running on your device. For more information, see [this page](microsoft-defender-atp-mac.md).
+
+## Known issues
+
+- We’ve received reports of the network extension interfering with Apple SSO Kerberos extension.
+- The current version of the product still installs a kernel extension. The kernel extension is only used as a fallback mechanism and will be removed before this feature reaches public preview.
+- We are still working on a product version that deploys and functions properly on macOS 11 Big Sur.
+
+## Deployment prerequisites
+
+- Minimum operating system version: **10.15.4**
+- Minimum product version: **101.03.73**
+- Your device must be in the **Insider Fast update channel**. You can check the update channel using the following command:
+
+```bash
+mdatp --health releaseRing
+```
+
+If your device is not already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
+
+```bash
+defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast
+```
+
+Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [this page](mac-updates.md#set-the-channel-name).
+
+## Deployment steps
+
+Select the deployment steps corresponding to your environment and your preferred method of trying out this feature.
+
+### Manual deployment
+
+#### Approve the system extensions & enable the network extension
+
+Once all deployment prerequisites are met, restart your device to start the system extension approval and activation process.
+
+You will be presented series of system prompts to approve the Microsoft Defender ATP system extensions. You must approve ALL prompts from the series, because macOS requires an explicit approval for each extension that Microsoft Defender ATP for Mac installs on the device.
+
+For each approval, click **Open Security Preferences** and then click **Allow** to allow the system extension to run.
+
+> [!IMPORTANT]
+> Between subsequent approvals, you must close and re-open the **System Preferences** > **Security & Privacy** window, otherwise macOS will not display the next approval.
+
+> [!IMPORTANT]
+> There is a one minute timeout before the product falls back to the kernel extension (to ensure that the device is protected).
+>
+> If more than one minute has elapsed, restart the daemon (by rebooting the device or using `sudo killall -9 wdavdaemon`) in order to trigger the approval flow again.
+
+
+
+
+
+Following the approval of the system extensions, macOS will prompt for an approval to allow network traffic to be filtered. Click **Allow**.
+
+
+
+#### Grant Full Disk Access to the Endpoint Security system extension
+
+Open **System Preferences** > **Security & Privacy** > **Privacy** tab and grant **Full Disk Access** to the **Microsoft Defender Endpoint Security Extension**.
+
+
+
+#### Reboot your device
+
+In order for the changes to take effect, you must reboot your device.
+
+#### Verify that the system extensions are running
+
+From the Terminal, run the following command:
+
+```bash
+mdatp health --field real_time_protection_subsystem
+```
+
+Terminal output `endpoint_security_extension` indicates the product is using the system extensions functionality.
+
+### Managed deployment
+
+Refer to [this page](mac-sysext-policies.md#jamf) for the new configuration profiles that must be deployed for this new feature.
+
+In addition to those profiles, make sure the target devices are also configured to be in the Insider Fast update channel, as described in [this section](#deployment-prerequisites).
+
+On a device where all prerequisites are met and the new configuration profiles have been deployed, run:
+
+```bash
+$ mdatp health --field real_time_protection_subsystem
+```
+
+If this command prints `endpoint_security_extension`, then the product is using the system extensions functionality.
+
+## Validate basic scenarios
+
+1. Test EICAR detection. From a Terminal window, run:
+
+```bash
+curl -o eicar.txt https://secure.eicar.org/eicar.com.txt
+```
+
+ Verify that the EICAR file is quarantined. This verification can be done from the user interface (from the Protection History page) or command line using the following command:
+
+```bash
+mdatp threat list
+```
+
+2. Test EDR DIY scenario. From a terminal window, run:
+
+```bash
+curl -o "MDATP MacOS DIY.zip" https://aka.ms/mdatpmacosdiy
+```
+
+ Validate that two alerts have popped up in the portal in the machine page for EICAR and EDR DIY scenarios.
+
+## Frequently asked questions
+
+- Q: Why am I still seeing `kernel_extension` when I run `mdatp health --field real_time_protection_subsystem`?
+
+ A: Refer back to the [Deployment prerequisites](#deployment-prerequisites) section and double-check all of them are met. If all prerequisites are met, restart your device and check again.
+
+- Q: When is macOS 11 Big Sur going to be supported?
+
+ A: We are actively working on adding support for macOS 11. We will post more information to the [What's new](mac-whatsnew.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
index 16b648b1c4..a356d8d895 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Deploy updates for Microsoft Defender ATP for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
@@ -221,4 +224,4 @@ To configure MAU, you can deploy this configuration profile from the management
## Resources
-- [msupdate reference](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate)
\ No newline at end of file
+- [msupdate reference](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 4b48c8771f..1284f53db5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -1,6 +1,6 @@
---
title: What's new in Microsoft Defender Advanced Threat Protection for Mac
-description: List of major changes for Microsoft Defender ATP for Mac.
+description: Learn about the major changes for previous versions of Microsoft Defender Advanced Threat Protection for Mac.
keywords: microsoft, defender, atp, mac, installation, macos, whatsnew
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -19,6 +19,9 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
> [!IMPORTANT]
> In preparation for macOS 11 Big Sur, we are getting ready to release an update to Microsoft Defender ATP for Mac that will leverage new system extensions instead of kernel extensions. Apple will stop supporting kernel extensions starting macOS 11 Big Sur version. Therefore an update to the Microsoft Defender ATP for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11.
>
@@ -38,6 +41,31 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
+## 101.07.23
+
+- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID
+
+ > [!NOTE]
+ > `mdatp --health` will be replaced with `mdatp health` in a future product update.
+
+- Fixed a bug where automatic sample submission was not marked as managed in the user interface
+- Added new settings for controlling the retention of items in the antivirus scan history. You can now [specify the number of days to retain items in the scan history](mac-preferences.md#antivirus-scan-history-retention-in-days) and [specify the maximum number of items in the scan history](mac-preferences.md#maximum-number-of-items-in-the-antivirus-scan-history)
+- Bug fixes
+
+## 101.06.63
+
+- Addressed a performance regression introduced in version `101.05.17`. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.
+
+## 101.05.17
+
+> [!IMPORTANT]
+> We are working on a new and enhanced syntax for the `mdatp` command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to famliliarize yourself with this new syntax.
+>
+> We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months.
+
+- Addressed a kernel panic that occurred sometimes when accessing SMB file shares
+- Performance improvements & bug fixes
+
## 101.05.16
- Improvements to quick scan logic to significantly reduce the number of scanned files
@@ -132,6 +160,6 @@ ms.topic: conceptual
> The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
>
> - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic.
- > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+ > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
index 55b903fa52..678340162e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create and manage device groups
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Azure Active Directory
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
index 6ff6a3213c..3349058516 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
@@ -19,6 +19,9 @@ ms.topic: article
# Device health and compliance report in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -86,4 +89,4 @@ For example, to show data about Windows 10 devices with Active sensor health sta
## Related topic
-- [Threat protection report](threat-protection-reports.md)
\ No newline at end of file
+- [Threat protection report](threat-protection-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
index 0ee6e199c0..73940895f1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create and manage device tags
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Add tags on devices to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Devices list** view, or to group devices. For more information on device grouping, see [Create and manage device groups](machine-groups.md).
You can add tags on devices using the following ways:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 92e5b76fd8..074b8fc31f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -1,6 +1,6 @@
---
title: Machine resource type
-description: Retrieves top machines
+description: Learn about the methods and properties of the Machine resource type in Microsoft Defender Advanced Threat Protection.
keywords: apis, supported apis, get, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Machine resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
index 930d43341f..683d807480 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
@@ -1,6 +1,6 @@
---
title: machineAction resource type
-description: Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+description: Learn about the methods and properties of the MachineAction resource type in Microsoft Defender Advanced Threat Protection.
keywords: apis, supported apis, get, machineaction, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# MachineAction resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -73,4 +76,4 @@ ms.topic: article
"lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
"relatedFileInfo": null
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
index 2b4a77dcc3..ff9c54a53f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
@@ -19,6 +19,9 @@ ms.topic: article
# View and organize the Microsoft Defender ATP Devices list
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index 3359a3bbc8..c4d934024e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -19,6 +19,9 @@ ms.topic: article
# Manage Microsoft Defender Advanced Threat Protection alerts
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
index 022658e40b..9ccda31130 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
@@ -15,10 +15,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection with Configuration Manager
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
index 1e7317f3e8..ffc5159b81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
@@ -15,10 +15,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection with Group Policy Objects
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
index 6801853a3f..2d23d54ba2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
@@ -15,10 +15,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection with Intune
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
index 245b969459..e2f1cc83dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
@@ -15,10 +15,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection with PowerShell, WMI, and MPCmdRun.exe
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
index f716c99579..ec99415384 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
@@ -14,11 +14,16 @@ ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
-ms.topic: article
+ms.topic: conceptual
+ms.date: 09/04/2020
+ms.reviewer: chventou
---
# Manage Microsoft Defender Advanced Threat Protection, post migration
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index 913a4d215c..116cc0e459 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -1,5 +1,5 @@
---
-title: Review and approve actions following automated investigations in the Microsoft Defender Security Center
+title: Review and approve remediation actions following automated investigations in the Microsoft Defender Security Center
description: Review and approve (or reject) remediation actions following an automated investigation.
keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, devices, duration, filter export
search.product: eADQiWindows 10XVcnh
@@ -15,47 +15,82 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.date: 09/15/2020
---
-# Review and approve actions following an automated investigation
+# Review and approve remediation actions following an automated investigation
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
## Remediation actions
-When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.
+When an [automated investigation](automated-investigations.md) runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically:
+Depending on
+
+- the type of threat,
+- the resulting verdict, and
+- how your organization's [device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) are configured,
+
+remediation actions can occur automatically or only upon approval by your organization’s security operations team.
+
+Here are a few examples:
+
+- Example 1: Fabrikam's device groups are set to **Full - remediate threats automatically** (this is the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation. (See [Review completed actions](#review-completed-actions).)
+
+- Example 2: Contoso's devices are included in a device group that is set for **Semi - require approval for any remediation**. In this case, Contoso's security operations team must review and approve all remediation actions following an automated investigation. (See [Review pending actions](#review-pending-actions).)
+
+- Example 3: Tailspin Toys has their device groups set to **No automated response** (this is not recommended). In this case, automated investigations do not occur. As a result, no remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices. (See [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups))
+
+Whether taken automatically or upon approval, remediation actions following an automated investigation include the following:
- Quarantine a file
-- Remove a registry key
-- Kill a process
-- Stop a service
-- Remove a registry key
-- Disable a driver
+- Remove a registry key
+- Kill a process
+- Stop a service
+- Remove a registry key
+- Disable a driver
- Remove a scheduled task
-Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible so that you automated investigations complete in a timely manner.
+### Automated investigation results and remediation actions
-No actions are taken when a verdict of *No threats found* is reached for a piece of evidence.
+The following table summarizes remediation actions following an automated investigation, how device group settings affect whether actions are taken automatically or upon approval, and what to do in each case.
+
+|Device group setting | Automated investigation results | What to do |
+|:---|:---|:---|
+|**Full - remediate threats automatically** (this is the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence.
Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) |
+|**Full - remediate threats automatically** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval to proceed. | [Approve (or reject) pending actions](#review-pending-actions) |
+|**Semi - require approval for any remediation** |A verdict of either *Malicious* or *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval to proceed. |[Approve (or reject) pending actions](#review-pending-actions) |
+|**Semi - require approval for core folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.
If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval.
If the artifact is *not* in an operating system directory, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)
2. [Review completed actions](#review-completed-actions) |
+|**Semi - require approval for core folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions).|
+|**Semi - require approval for non-temp folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.
If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval.
If the artifact is a file or executable that *is* in a temporary folder, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)
2. [Review completed actions](#review-completed-actions) |
+|**Semi - require approval for non-temp folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions) |
+|Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence.
No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) |
+|**No automated response** (this is not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) |
In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
+> [!TIP]
+> To learn more about remediation actions following an automated investigation, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
+
+
## Review pending actions
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard).
-2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
+2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
3. Review any items on the **Pending** tab.
- Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
-
- You can also select multiple investigations to approve or reject actions on multiple investigations.
+4. Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions.
+ Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations.
## Review completed actions
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard).
-2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
+2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
3. Select the **History** tab. (If need be, expand the time period to display more data.)
@@ -67,10 +102,3 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and
- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
-- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response)
-
-## Related articles
-
-- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-
-- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
index 8a8857b964..5dfefb6a2a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
@@ -19,6 +19,9 @@ ms.topic: article
# Manage automation file uploads
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
index 3512070e46..056f3d9d05 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
@@ -19,6 +19,9 @@ ms.topic: article
# Manage automation folder exclusions
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
index 2fb891a0ed..1755204179 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Manage endpoint detection and response capabilities
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Manage the alerts queue, investigate devices in the devices list, take response actions, and hunt for possible threats in your organization using advanced hunting.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
index 8ee9cd8e12..05f77e6b94 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
@@ -20,6 +20,9 @@ ms.date: 10/08/2018
# Manage Microsoft Defender ATP incidents
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -34,13 +37,13 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana
You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
> [!TIP]
-> For additional visibility at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
+> For additional visibility at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
>
> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
>
-> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+> Incidents that existed prior the rollout of automatic incident naming will retain their names.
>
-> Learn more about [turning on preview features](preview.md#turn-on-preview-features).
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index e17e4280c2..b8a672c6a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -1,6 +1,6 @@
---
-title: Create indicators
-ms.reviewer:
+title: Create indicators
+ms.reviewer:
description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
@@ -14,11 +14,14 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
---
-# Create indicators
+# Create indicators
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -40,10 +43,10 @@ The same list of indicators is honored by the prevention agent. Meaning, if Micr
**Automated investigation and remediation engine**
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".
-
+
The current supported actions are:
-- Allow
+- Allow
- Alert only
- Alert and block
@@ -51,11 +54,11 @@ The current supported actions are:
You can create an indicator for:
- [Files](indicator-file.md)
- [IP addresses, URLs/domains](indicator-ip-domain.md)
-- [Certificates (preview)](indicator-certificates.md)
+- [Certificates](indicator-certificates.md)
>[!NOTE]
->There is a limit of 15,000 indicators per tenant.
+>There is a limit of 15,000 indicators per tenant.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
index 04bb26271d..2db2ff913f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
@@ -1,6 +1,6 @@
---
title: Manage Microsoft Defender Advanced Threat Protection suppression rules
-description: Manage suppression rules
+description: You might need to prevent alerts from appearing in the portal by using suppression rules. Learn how to manage your suppression rules in Microsoft Defender ATP.
keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -19,6 +19,9 @@ ms.topic: article
# Manage suppression rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -43,4 +46,4 @@ You can view a list of all the suppression rules and manage them in one place. Y
## Related topics
-- [Manage alerts](manage-alerts.md)
\ No newline at end of file
+- [Manage alerts](manage-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index 24695b7456..45de6c024c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Overview of management and APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
new file mode 100644
index 0000000000..87e7025713
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
@@ -0,0 +1,62 @@
+---
+title: Migrate from McAfee to Microsoft Defender ATP
+description: Make the switch from McAfee to Microsoft Defender ATP. Read this article for an overview.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-mcafeemigrate
+- m365solution-overview
+ms.topic: conceptual
+ms.custom: migrationguides
+ms.date: 09/03/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee to Microsoft Defender Advanced Threat Protection
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration.
+
+## The migration process
+
+When you switch from McAfee to Microsoft Defender ATP, you follow a process that can be divided into three phases, as described in the following table:
+
+|Phase |Description |
+|--|--|
+|[](mcafee-to-microsoft-defender-prepare.md) [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP. |
+|[](mcafee-to-microsoft-defender-setup.md) [Set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[](mcafee-to-microsoft-defender-onboard.md) [Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender ATP is in active mode. |
+
+## What's included in Microsoft Defender ATP?
+
+In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP.
+
+| Feature/Capability | Description |
+|---|---|
+| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
+| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
+| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
+| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
+| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
+| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
+| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
+
+**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).**
+
+## Next step
+
+- Proceed to [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
new file mode 100644
index 0000000000..07b9363521
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
@@ -0,0 +1,95 @@
+---
+title: McAfee to Microsoft Defender ATP - Onboard
+description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender ATP.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-McAfeemigrate
+ms.custom: migrationguides
+ms.topic: article
+ms.date: 09/03/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender ATP
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+|[](mcafee-to-microsoft-defender-prepare.md) [Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[](mcafee-to-microsoft-defender-setup.md) [Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) | Phase 3: Onboard |
+|--|--|--|
+|| |*You are here!* |
+
+
+**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
+
+1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp).
+2. [Run a detection test](#run-a-detection-test).
+3. [Uninstall McAfee](#uninstall-mcafee).
+4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode).
+
+## Onboard devices to Microsoft Defender ATP
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. Choose **Settings** > **Device management** > **Onboarding**.
+
+3. In the **Select operating system to start onboarding process** list, select an operating system.
+
+4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods).
+
+### Onboarding methods
+
+Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
+
+|Operating system |Method |
+|---------|---------|
+|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp) - [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) - [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm) - [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows 8.1 Enterprise - Windows 8.1 Pro - Windows 7 SP1 Enterprise - Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
+|- Windows Server 2019 and later - Windows Server 2019 core edition - Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script) - [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp) - [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) - [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager) - [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+|- Windows Server 2016 - Windows Server 2012 R2 - Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center) - [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
+|macOS - 10.15 (Catalina) - 10.14 (Mojave) - 10.13 (High Sierra)
iOS
Linux: - RHEL 7.2+ - CentOS Linux 7.2+ - Ubuntu 16 LTS, or higher LTS - SLES 12+ - Debian 9+ - Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
+
+## Run a detection test
+
+To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test.
+
+
+|Operating system |Guidance |
+|---------|---------|
+|- Windows 10 - Windows Server 2019 - Windows Server, version 1803 - Windows Server 2016 - Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+|macOS - 10.15 (Catalina) - 10.14 (Mojave) - 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
+|Linux: - RHEL 7.2+ - CentOS Linux 7.2+ - Ubuntu 16 LTS, or higher LTS - SLES 12+ - Debian 9+ - Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: `mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command: `curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats: `mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
+
+## Uninstall McAfee
+
+Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall McAfee.
+
+To get help with this step, go to your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
+
+## Make sure Microsoft Defender ATP is in active mode
+
+Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
+
+To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+- Cloud-delivered protection
+- Potentially Unwanted Applications (PUA)
+- Network Protection (NP)
+
+## Next steps
+
+**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
new file mode 100644
index 0000000000..91961c7159
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
@@ -0,0 +1,122 @@
+---
+title: McAfee to Microsoft Defender ATP - Prepare
+description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender ATP.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-mcafeemigrate
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/03/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee - Phase 1: Prepare for your migration
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+| Phase 1: Prepare |[](mcafee-to-microsoft-defender-setup.md) [Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[](mcafee-to-microsoft-defender-onboard.md) [Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
+|--|--|--|
+|*You are here!*| | |
+
+
+**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
+
+This migration phase includes the following steps:
+1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
+2. [Get Microsoft Defender ATP](#get-microsoft-defender-atp).
+3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
+4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
+
+## Get and deploy updates across your organization's devices
+
+As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender ATP and Microsoft Defender Antivirus.
+
+### Make sure your McAfee solution is up to date
+
+Keep McAfee up to date, and make sure that your organization's devices have the latest security updates. Need help? Here are some McAfee resources:
+
+- [McAfee Enterprise Product Documentation: How Endpoint Security Works](https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-1207FF39-D1D2-481F-BBD9-E4079112A8DD.html)
+
+- [McAfee Knowledge Center Technical Article: Windows Security Center intermittently incorrectly reports that Endpoint Security is disabled when running on Windows 10](https://kc.mcafee.com/corporate/index?page=content&id=KB91830)
+
+- [McAfee Knowledge Center Technical Article: Windows Security Center reports Endpoint Security is disabled when Endpoint Security is running](https://kc.mcafee.com/corporate/index?page=content&id=KB91428)
+
+- Your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com))
+
+### Make sure your organization's devices are up to date
+
+Need help updating your organization's devices? See the following resources:
+
+|OS | Resource |
+|:--|:--|
+|Windows |[Microsoft Update](https://www.update.microsoft.com) |
+|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
+|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
+|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
+|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
+
+## Get Microsoft Defender ATP
+
+Now that you've updated your organization's devices, the next step is to get Microsoft Defender ATP, assign licenses, and make sure the service is provisioned.
+
+1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp).
+
+2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
+
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
+
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
+
+At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+
+> [!NOTE]
+> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal.
+
+## Grant access to the Microsoft Defender Security Center
+
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
+
+Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
+
+1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
+
+2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
+
+ If your organization requires a method other than Intune, choose one of the following options:
+ - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
+ - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
+ - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
+
+3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
+
+## Configure device proxy and internet connectivity settings
+
+To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+
+|Capabilities | Operating System | Resources |
+|--|--|--|
+|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information) - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
+|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016) - [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2) - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) - [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2) - [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
+|EDR |macOS: - 10.15 (Catalina) - 10.14 (Mojave) - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information) - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) - [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) - [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus) |
+|Antivirus |macOS: - 10.15 (Catalina) - 10.14 (Mojave) - 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
+|Antivirus |Linux: - RHEL 7.2+ - CentOS Linux 7.2+ - Ubuntu 16 LTS, or higher LTS - SLES 12+ - Debian 9+ - Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections)
+
+## Next step
+
+**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
new file mode 100644
index 0000000000..90f4176e55
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
@@ -0,0 +1,256 @@
+---
+title: McAfee to Microsoft Defender ATP - Setup
+description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender ATP.
+keywords: migration, windows defender advanced threat protection, atp, edr
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: deniseb
+author: denisebmsft
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-mcafeemigrate
+ms.topic: article
+ms.custom: migrationguides
+ms.date: 09/15/2020
+ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
+---
+
+# Migrate from McAfee - Phase 2: Set up Microsoft Defender ATP
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+|[](mcafee-to-microsoft-defender-prepare.md) [Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) | Phase 2: Set up |[](mcafee-to-microsoft-defender-onboard.md) [Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
+|--|--|--|
+||*You are here!* | |
+
+
+**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
+1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
+2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+3. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-atp-to-the-exclusion-list-for-mcafee).
+4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus).
+5. [Add McAfee to the exclusion list for Microsoft Defender ATP](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-atp).
+6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+
+## Enable Microsoft Defender Antivirus and confirm it's in passive mode
+
+On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
+
+This step of the migration process includes the following tasks:
+- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
+- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
+- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
+- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and
+- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
+
+### Set DisableAntiSpyware to false on Windows Server
+
+The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
+
+1. On your Windows Server device, open Registry Editor.
+
+2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
+
+3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
+
+ - If you do not see that entry, you're all set.
+
+ - If you do see **DisableAntiSpyware**, proceed to step 4.
+
+4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
+
+5. Set the value to `0`. (This sets the registry key's value to *false*.)
+
+> [!TIP]
+> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
+
+### Reinstall Microsoft Defender Antivirus on Windows Server
+
+> [!NOTE]
+> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
+> - Windows Server 2019
+> - Windows Server, version 1803 (core-only mode)
+> - Windows Server 2016
+
+1. As a local administrator on the endpoint or device, open Windows PowerShell.
+
+2. Run the following PowerShell cmdlets:
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+
+3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
+
+ `Get-Service -Name windefend`
+
+> [!TIP]
+> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+
+### Set Microsoft Defender Antivirus to passive mode on Windows Server
+
+Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP.
+
+1. Open Registry Editor, and then navigate to
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
+
+2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
+
+ - Set the DWORD's value to **1**.
+
+ - Under **Base**, select **Hexadecimal**.
+
+> [!NOTE]
+> You can use other methods to set the registry key, such as the following:
+>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
+
+### Enable Microsoft Defender Antivirus on your Windows client devices
+
+Because your organization has been using McAfee as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
+
+To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
+
+|Method |What to do |
+|---------|---------|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/) or [Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+
+### Confirm that Microsoft Defender Antivirus is in passive mode
+
+Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+
+|Method |What to do |
+|---------|---------|
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+
+> [!NOTE]
+> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
+
+## Get updates for Microsoft Defender Antivirus
+
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+- Security intelligence updates
+- Product updates
+
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+
+## Add Microsoft Defender ATP to the exclusion list for McAfee
+
+This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for McAfee and any other security products your organization is using.
+
+> [!TIP]
+> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
+
+The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+
+|OS |Exclusions |
+|--|--|
+|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information)) - Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed - [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) - [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+
+## Add McAfee to the exclusion list for Microsoft Defender Antivirus
+
+During this step of the setup process, you add McAfee and your other security solutions to the Microsoft Defender Antivirus exclusion list.
+
+When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+- Path exclusions exclude specific files and whatever those files access.
+- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
+- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
+- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
+
+You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
+
+|Method | What to do|
+|--|--|
+|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**. **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions. - Set the option to **Enabled**. - Under the **Options** section, click **Show...**. - Specify each folder on its own line under the **Value name** column. - If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions. - Set the option to **Enabled**. - Under the **Options** section, click **Show...**. - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. **NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples: - Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` - Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+
+## Add McAfee to the exclusion list for Microsoft Defender ATP
+
+To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+
+2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
+
+3. On the **File hashes** tab, choose **Add indicator**.
+
+3. On the **Indicator** tab, specify the following settings:
+ - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
+ - Under **Expires on (UTC)**, choose **Never**.
+
+4. On the **Action** tab, specify the following settings:
+ - **Response Action**: **Allow**
+ - Title and description
+
+5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
+
+6. On the **Summary** tab, review the settings, and then click **Save**.
+
+### Find a file hash using CMPivot
+
+CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
+
+To use CMPivot to get your file hash, follow these steps:
+
+1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
+
+2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
+
+3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
+
+4. Select the **Query** tab.
+
+5. In the **Device Collection** list, and choose **All Systems (default)**.
+
+6. In the query box, type the following query:
+
+```kusto
+File(c:\\windows\\notepad.exe)
+| project Hash
+```
+> [!NOTE]
+> In the query above, replace *notepad.exe* with the your third-party security product process name.
+
+## Set up your device groups, device collections, and organizational units
+
+| Collection type | What to do |
+|--|--|
+|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
+|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+
+## Configure antimalware policies and real-time protection
+
+Using Configuration Manager and your device collection(s), configure your antimalware policies.
+
+- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
+
+- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
+
+> [!TIP]
+> You can deploy the policies before your organization's devices on onboarded.
+
+## Next step
+
+**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+
+- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
index 7132b8b8a3..2049e0d9bd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
@@ -20,6 +20,9 @@ ms.topic: article
# Configure Microsoft Cloud App Security in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
index 3871f3dc64..a6f03c17c5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
@@ -20,6 +20,9 @@ ms.date: 10/18/2018
---
# Microsoft Cloud App Security in Microsoft Defender ATP overview
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index 283349edd3..d45c5c585e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender Advanced Threat Protection
description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats.
-keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
+keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink)
>
> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
@@ -52,7 +55,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
@@ -87,8 +90,8 @@ The attack surface reduction set of capabilities provide the first line of defen
-**[Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
+**[Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
+To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
index 12f56bc412..a382a8463d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
@@ -20,14 +20,8 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection for Android
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
->
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
->
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
->
-> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Android onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today.
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.
@@ -35,14 +29,13 @@ This topic describes how to install, configure, update, and use Microsoft Defend
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Android is likely to cause performance problems and unpredictable system errors.
-
## How to install Microsoft Defender ATP for Android
### Prerequisites
- **For end users**
- - Microsoft Defender ATP license assigned to the end user(s) of the app.
+ - Microsoft Defender ATP license assigned to the end user(s) of the app. See [Microsoft Defender ATP licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
- Intune Company Portal app can be downloaded from [Google
Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
@@ -78,15 +71,15 @@ This topic describes how to install, configure, update, and use Microsoft Defend
### Installation instructions
Microsoft Defender ATP for Android supports installation on both modes of
-enrolled devices - the legacy Device Administrator and Android Enterprise modes
+enrolled devices - the legacy Device Administrator and Android Enterprise modes.
+**Currently, only Work Profile enrolled devices are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
Deployment of Microsoft Defender ATP for Android is via Microsoft Intune (MDM).
For more information, see [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md).
> [!NOTE]
-> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes.
-> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.**
+> **Microsoft Defender ATP for Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.** You can connect to Google Play from Intune to deploy Microsoft Defender ATP app, across Device Administrator and Android Enterprise entrollment modes.
## How to Configure Microsoft Defender ATP for Android
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
new file mode 100644
index 0000000000..c82a60cb3c
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
@@ -0,0 +1,75 @@
+---
+title: Microsoft Defender ATP for iOS overview
+ms.reviewer:
+description: Describes how to install and use Microsoft Defender ATP for iOS
+keywords: microsoft, defender, atp, ios, overview, installation, deploy, uninstallation, intune
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender Advanced Threat Protection for iOS
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+> [!IMPORTANT]
+> **PUBLIC PREVIEW EDITION**
+>
+> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
+>
+> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
+
+
+The public preview of Microsoft Defender ATP for iOS will offer protection
+against phishing and unsafe network connections from websites, emails and apps.
+All alerts will be available through a single pane of glass in the Microsoft
+Defender Security Center, giving security teams a centralized view of threats on
+iOS devices along with other platforms.
+
+## Pre-requisites
+
+
+**For End Users**
+
+- Microsoft Defender ATP license assigned to the end user(s) of the app. Refer
+ [Assign licenses to
+ users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
+ for instructions on how to assign licenses.
+
+**For Administrators**
+
+- Access to the Microsoft Defender Security Center portal
+
+- Access to [Microsoft Endpoint Manager admin
+ center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app
+ to enrolled user groups in your organization
+
+**System Requirements**
+
+- iOS devices running iOS 11.0 and above
+
+- Device is enrolled with Intune Company Portal
+ [app](https://apps.apple.com/us/app/intune-company-portal/id719171358)
+
+## Resources
+
+- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS)
+
+- Provide feedback through in-app feedback system or through [SecOps
+ portal](https://securitycenter.microsoft.com)
+
+
+## Next steps
+
+Microsoft Defender for Endpoint capabilities for iOS will be released into public preview in the coming weeks. At that time, we will publish additional deployment and configuration information. Please check back here in a few weeks.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
index fda5e2b14b..1e0b400707 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Microsoft Defender ATP for Linux
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Linux.
> [!CAUTION]
@@ -65,7 +68,7 @@ If you experience any installation failures, refer to [Troubleshooting installat
> [!CAUTION]
> Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
-- Disk space: 650 MB
+- Disk space: 1GB
- The solution currently provides real-time protection for the following file system types:
- `btrfs`
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index ae6569fd45..90fef9d116 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender ATP for Mac
ms.reviewer:
-description: Describes how to install and use Microsoft Defender ATP for Mac.
+description: Learn how to install, configure, update, and use Microsoft Defender Advanced Threat Protection for Mac.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection for Mac
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
> [!CAUTION]
@@ -61,7 +64,7 @@ There are several methods and deployment tools that you can use to install and c
The three most recent major releases of macOS are supported.
- 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
-- Disk space: 650 MB
+- Disk space: 1GB
Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
index e6acac214c..ee826bd394 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender Security Center
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
## In this section
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index 5e28935812..ecb755c220 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Microsoft Threat Experts
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
new file mode 100644
index 0000000000..f455a605a9
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
@@ -0,0 +1,46 @@
+---
+title: Make the switch to Microsoft Defender ATP
+description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender ATP
+search.appverid: MET150
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/08/2020
+ms.prod: w10
+ms.localizationpriority: medium
+ms.collection:
+- M365-security-compliance
+ms.custom: migrationguides
+ms.reviewer: chriggs, depicker, yongrhee
+f1.keywords: NOCSH
+---
+
+# Make the switch to Microsoft Defender ATP and Microsoft Defender Antivirus
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+## Migration guides
+
+If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Defender Antivirus, check out our migration guidance.
+
+- [McAfee Endpoint Security (McAfee) to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md)
+
+- [Symantec Endpoint Protection (Symantec) to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md)
+
+- [Manage Microsoft Defender Advanced Threat Protection, after you've migrated](manage-atp-post-migration.md)
+
+
+## Got feedback?
+
+Let us know what you think! Submit your feedback at the bottom of the page. We'll take your feedback into account as we continue to improve and add to our migration guidance.
+
+## See also
+
+- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection)
+
+- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
+
+- [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index c3372148b8..546cc62c58 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Minimum requirements for Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -103,8 +106,9 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for
### Other supported operating systems
-- macOS
+- Android
- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
+- macOS
> [!NOTE]
> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md
new file mode 100644
index 0000000000..e04b5fd740
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md
@@ -0,0 +1,44 @@
+---
+title: Supported managed security service providers
+description: See the list of MSSPs that Microsoft Defender ATP integrates with
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Supported managed security service providers
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Logo |Partner name | Description
+:---|:---|:---
+| [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense leverages best practice tools, AI, and in-house security experts for 24/7/365 identity protection
+| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender ATP provides support in monitoring, investigating, and mitigating advanced attacks on endpoints
+| [Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2099315) | InSpark's Cloud Security Center is a 24x7 managed service that delivers protect, detect & respond capabilities
+| [Cloud SOC](https://go.microsoft.com/fwlink/?linkid=2104265) | Cloud SOC provides 24/7 security monitoring services based on Microsoft cloud and helps you to continuously improve your security posture
+| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place
+| [Dell Technologies Advanced Threat Protection](https://go.microsoft.com/fwlink/?linkid=2091004) | Professional monitoring service for malicious behavior and anomalies with 24/7 capability
+| [DXC-Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2090395) | Identify endpoint threats that evade traditional security defenses and contain them in hours or minutes, not days
+| [NTT Security](https://go.microsoft.com/fwlink/?linkid=2095320) | NTT's EDR Service provides 24/7 security monitoring & response across your endpoint and network
+| [Red Canary](https://go.microsoft.com/fwlink/?linkid=2103852) | Red Canary is a security operations partner for modern teams, MDR deployed in minutes
+| [SecureWorks Managed Detection and Response Powered by Red Cloak](https://go.microsoft.com/fwlink/?linkid=2133634) | Secureworks combines threat intelligence and 20+ years of experience into SaaS and managed security solutions
+| [sepagoSOC](https://go.microsoft.com/fwlink/?linkid=2090491) | Ensure holistic security through sophisticated automated workflows in your zero trust environment
+| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Microsoft Defender ATP
+| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Microsoft Defender ATP service for monitoring & response
+| [Zero Trust Analytics Platform (ZTAP)](https://go.microsoft.com/fwlink/?linkid=2090971) | Reduce your alerts by 99% and access a full range of security capabilities from mobile devices
+
+## Related topics
+- [Configure managed service security provider integration](configure-mssp-support.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
index dc86cb4ea9..6f1d18b0e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Managed security service provider partnership opportunities
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index eb56826c55..ea52e95529 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -3,7 +3,6 @@ title: Use network protection to help prevent connections to bad sites
description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
keywords: Network protection, exploits, malicious website, ip, domain, domains
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -21,6 +20,9 @@ ms.custom: asr
# Protect your network
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 3eb07ed66d..9286621ecb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -105,7 +108,7 @@ Ensure that your devices:
Run threat and vulnerability management-related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
-See the following topics for related APIs:
+See the following articles for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Machine APIs](machine.md)
@@ -115,7 +118,7 @@ See the following topics for related APIs:
- [Vulnerability APIs](vulnerability.md)
- [List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)
-## Related topics
+## See also
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
new file mode 100644
index 0000000000..36cab9ff28
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
@@ -0,0 +1,110 @@
+---
+title: Microsoft Defender ATP for non-Windows platforms
+description: Learn about Microsoft Defender ATP capabilities for non-Windows platforms
+keywords: non windows, mac, macos, linux, android
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-evalutatemtp
+ms.topic: article
+---
+
+# Microsoft Defender ATP for non-Windows platforms
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+Microsoft has been on a journey to extend its industry leading endpoint security
+capabilities beyond Windows and Windows Server to macOS, Linux, Android, and
+soon iOS.
+
+Organizations face threats across a variety of platforms and devices. Our teams
+have committed to building security solutions not just *for* Microsoft, but also
+*from* Microsoft to enable our customers to protect and secure their
+heterogenous environments. We're listening to customer feedback and partnering
+closely with our customers to build solutions that meet their needs.
+
+With Microsoft Defender ATP, customers benefit from a unified view of all
+threats and alerts in the Microsoft Defender Security Center, across Windows and
+non-Windows platforms, enabling them to get a full picture of what's happening
+in their environment, which empowers them to more quickly assess and respond to
+threats.
+
+## Microsoft Defender ATP for Mac
+
+Microsoft Defender ATP for Mac offers AV and EDR capabilities for the three
+latest released versions of macOS. Customers can deploy and manage the solution
+through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office
+applications on macOS, Microsoft Auto Update is used to manage Microsoft
+Defender ATP for Mac updates. For information about the key features and
+benefits, read our
+[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS).
+
+For more details on how to get started, visit the Microsoft Defender ATP for Mac
+[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).
+
+## Microsoft Defender ATP for Linux
+
+Microsoft Defender ATP for Linux offers preventative (AV) capabilities for Linux
+servers. This includes a full command line experience to configure and manage
+the agent, initiate scans, and manage threats. We support recent versions of the
+six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu
+16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft
+Defender ATP for Linux can be deployed and configured using Puppet, Ansible, or
+using your existing Linux configuration management tool. For information about
+the key features and benefits, read our
+[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Linux).
+
+For more details on how to get started, visit the Microsoft Defender ATP for
+Linux
+[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux).
+
+## Microsoft Defender ATP for Android
+
+Microsoft Defender ATP for Android is our mobile threat defense solution for
+devices running Android 6.0 and higher. Both Android Enterprise (Work Profile)
+and Device Administrator modes are supported. On Android, we offer web
+protection, which includes anti-phishing, blocking of unsafe connections, and
+setting of custom indicators. The solution scans for malware and potentially
+unwanted applications (PUA) and offers additional breach prevention capabilities
+through integration with Microsoft Endpoint Manager and Conditional Access. For
+information about the key features and benefits, read our
+[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android).
+
+For more details on how to get started, visit the Microsoft Defender ATP for
+Android
+[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android).
+
+
+
+## Licensing requirements
+
+Eligible Licensed Users may use Microsoft Defender ATP on up to five concurrent
+devices. Microsoft Defender ATP is also available for purchase from a Cloud
+Solution Provider (CSP).
+
+Customers can obtain Microsoft Defender ATP for Mac through a standalone
+Microsoft Defender ATP license, as part of Microsoft 365 A5/E5, or Microsoft 365
+Security.
+
+Recently announced capabilities of Microsoft Defender ATP for Android and soon
+iOS are included in the above mentioned offers as part of the five qualified
+devices for eligible licensed users.
+
+Microsoft Defender ATP for Linux is available through the Microsoft Defender ATP
+for Server SKU that is available for both commercial and education customers.
+
+Please contact your account team or CSP for pricing and additional eligibility
+requirements.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index 2c94a9c19e..6046e47262 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -1,6 +1,6 @@
---
title: Offboard machine API
-description: Use this API to offboard a device from WDATP.
+description: Learn how to use an API to offboard a device from Windows Defender Advanced Threat Protection (WDATP).
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Offboard machine API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
index 9a0498b504..fdfda0129e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Offboard devices from the Microsoft Defender ATP service
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- macOS
- Linux
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
index 23072e7fd3..3f37f66880 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Onboard devices to the Microsoft Defender ATP service
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 6d9c98fc37..86e8968854 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -19,6 +19,9 @@ ms.topic: article
# Onboard previous versions of Windows
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Windows 7 SP1 Enterprise
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
index ca0ae8b595..cb3d0ee177 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
@@ -20,6 +20,9 @@ ms.topic: article
# Onboard devices without Internet access to Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -54,8 +57,8 @@ For more information about onboarding methods, see the following articles:
## Azure virtual machines
- Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway)
- - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
- - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
+ - Setup Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub:
+ - [Azure Log Analytics Gateway](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID
- Offline Azure VMs in the same network of OMS Gateway
- Configure Azure Log Analytics IP as a proxy
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index 37c447d3fc..ca17dbdcd7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -1,8 +1,8 @@
---
title: Configure and manage Microsoft Defender ATP capabilities
ms.reviewer:
-description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls
-keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
+description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next-generation protection, and security controls
+keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Configure and manage Microsoft Defender ATP capabilities
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -30,7 +33,7 @@ Configure and manage all the Microsoft Defender ATP capabilities to get the best
Topic | Description
:---|:---
[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-[Configure next generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
+[Configure next-generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next-generation protection to catch all types of emerging threats.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
new file mode 100644
index 0000000000..d839dabec7
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
@@ -0,0 +1,358 @@
+---
+title: Onboarding using Microsoft Endpoint Configuration Manager
+description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager
+keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
+ms.topic: article
+---
+
+# Onboarding using Microsoft Endpoint Configuration Manager
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Collection creation
+To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
+deployment can target either and existing collection or a new collection can be
+created for testing. The onboarding like group policy or manual method does
+not install any agent on the system. Within the Configuration Manager console
+the onboarding process will be configured as part of the compliance settings
+within the console. Any system that receives this required configuration will
+maintain that configuration for as long as the Configuration Manager client
+continues to receive this policy from the management point. Follow the steps
+below to onboard systems with Configuration Manager.
+
+1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
+
+ 
+
+2. Right Click **Device Collection** and select **Create Device Collection**.
+
+ 
+
+3. Provide a **Name** and **Limiting Collection**, then select **Next**.
+
+ 
+
+4. Select **Add Rule** and choose **Query Rule**.
+
+ 
+
+5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
+
+ 
+
+6. Select **Criteria** and then choose the star icon.
+
+ 
+
+7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
+
+ 
+
+8. Select **Next** and **Close**.
+
+ 
+
+9. Select **Next**.
+
+ 
+
+After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
+
+## Endpoint detection and response
+### Windows 10
+From within the Microsoft Defender Security Center it is possible to download
+the '.onboarding' policy that can be used to create the policy in System Center Configuration
+Manager and deploy that policy to Windows 10 devices.
+
+1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
+
+
+
+2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
+
+ 
+
+3. Select **Download package**.
+
+ 
+
+4. Save the package to an accessible location.
+5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
+
+6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
+
+ 
+
+7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
+
+ 
+
+8. Click **Browse**.
+
+9. Navigate to the location of the downloaded file from step 4 above.
+
+10. Click **Next**.
+11. Configure the Agent with the appropriate samples (**None** or **All file types**).
+
+ 
+
+12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
+
+ 
+
+14. Verify the configuration, then click **Next**.
+
+ 
+
+15. Click **Close** when the Wizard completes.
+
+16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
+
+ 
+
+17. On the right panel, select the previously created collection and click **OK**.
+
+ 
+
+
+### Previous versions of Windows Client (Windows 7 and Windows 8.1)
+Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
+
+1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
+
+2. Under operating system choose **Windows 7 SP1 and 8.1**.
+
+3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
+
+ 
+
+4. Install the Microsoft Monitoring Agent (MMA).
+ MMA is currently (as of January 2019) supported on the following Windows Operating
+ Systems:
+
+ - Server SKUs: Windows Server 2008 SP1 or Newer
+
+ - Client SKUs: Windows 7 SP1 and later
+
+ The MMA agent will need to be installed on Windows devices. To install the
+ agent, some systems will need to download the [Update for customer experience
+ and diagnostic
+ telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+ in order to collect the data with MMA. These system versions include but may not
+ be limited to:
+
+ - Windows 8.1
+
+ - Windows 7
+
+ - Windows Server 2016
+
+ - Windows Server 2012 R2
+
+ - Windows Server 2008 R2
+
+ Specifically, for Windows 7 SP1, the following patches must be installed:
+
+ - Install
+ [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+
+ - Install either [.NET Framework
+ 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or
+ later) **or**
+ [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
+ Do not install both on the same system.
+
+5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
+
+Once completed, you should see onboarded endpoints in the portal within an hour.
+
+## Next generation protection
+Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
+
+ 
+
+2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
+
+ 
+
+ In certain industries or some select enterprise customers might have specific
+needs on how Antivirus is configured.
+
+
+ [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
+
+ For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
+
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+3. Right-click on the newly created antimalware policy and select **Deploy**.
+
+ 
+
+4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Windows
+Defender Antivirus.
+
+## Attack surface reduction
+The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
+Protection.
+
+All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
+
+To set ASR rules in Audit mode:
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+
+2. Select **Attack Surface Reduction**.
+
+
+3. Set rules to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard policy by clicking on **Next**.
+
+ 
+
+
+5. Once the policy is created click **Close**.
+
+ 
+
+
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+ 
+
+After completing this task, you now have successfully configured ASR rules in audit mode.
+
+Below are additional steps to verify whether ASR rules are correctly applied to
+endpoints. (This may take few minutes)
+
+
+1. From a web browser, navigate to .
+
+2. Select **Configuration management** from left side menu.
+
+3. Click **Go to attack surface management** in the Attack surface management panel.
+
+ 
+
+4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
+
+ 
+
+5. Click each device shows configuration details of ASR rules.
+
+ 
+
+See [Optimize ASR rule deployment and
+detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
+
+
+### To set Network Protection rules in Audit mode:
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Network protection**.
+
+3. Set the setting to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Select the policy to the newly created Windows 10 collection and choose **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Network
+Protection in audit mode.
+
+### To set Controlled Folder Access rules in Audit mode:
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Controlled folder access**.
+
+3. Set the configuration to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking on **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+ 
+
+You have now successfully configured Controlled folder access in audit mode.
+
+## Related topic
+- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
new file mode 100644
index 0000000000..31593b47cc
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
@@ -0,0 +1,367 @@
+---
+title: Onboarding using Microsoft Endpoint Manager
+description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Manager
+keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
+ms.topic: article
+---
+
+# Onboarding using Microsoft Endpoint Manager
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+In this section, we will be using Microsoft Endpoint Manager (MEM) to deploy
+Microsoft Defender ATP to your endpoints.
+
+For more information about MEM, check out these resources:
+- [Microsoft Endpoint Manager page](https://docs.microsoft.com/mem/)
+- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
+- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
+
+
+This process is a multi-step process, you'll need to:
+
+- Identify target devices or users
+
+ - Create an Azure Active Directory group (User or Device)
+
+- Create a Configuration Profile
+
+ - In MEM, we'll guide you in creating a separate policy for each feature
+
+## Resources
+
+
+Here are the links you'll need for the rest of the process:
+
+- [MEM portal](https://aka.ms/memac)
+
+- [Security Center](https://securitycenter.windows.com/)
+
+- [Intune Security baselines](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender)
+
+## Identify target devices or users
+In this section, we will create a test group to assign your configurations on.
+
+>[!NOTE]
+>Intune uses Azure Active Directory (Azure AD) groups to manage devices and
+users. As an Intune admin, you can set up groups to suit your organizational
+needs.
+> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/mem/intune/fundamentals/groups-add).
+
+### Create a group
+
+1. Open the MEM portal.
+
+2. Open **Groups > New Group**.
+
+ 
+
+3. Enter details and create a new group.
+
+ 
+
+4. Add your test user or device.
+
+5. From the **Groups > All groups** pane, open your new group.
+
+6. Select **Members > Add members**.
+
+7. Find your test user or device and select it.
+
+ 
+
+8. Your testing group now has a member to test.
+
+## Create configuration policies
+In the following section, you'll create a number of configuration policies.
+First is a configuration policy to select which groups of users or devices will
+be onboarded to Microsoft Defender ATP. Then you will continue by creating several
+different types of Endpoint security policies.
+
+### Endpoint detection and response
+
+1. Open the MEM portal.
+
+2. Navigate to **Endpoint security > Endpoint detection and response**. Click
+ on **Create Profile**.
+
+ 
+
+3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection
+ and response > Create**.
+
+4. Enter a name and description, then select **Next**.
+
+ 
+
+5. Select settings as required, then select **Next**.
+
+ 
+
+ >[!NOTE]
+ >In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp).
+
+
+ 
+
+6. Add scope tags if necessary, then select **Next**.
+
+ 
+
+7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**.
+
+ 
+
+8. Review and accept, then select **Create**.
+
+ 
+
+9. You can view your completed policy.
+
+ 
+
+### Next-generation protection
+
+1. Open the MEM portal.
+
+2. Navigate to **Endpoint security > Antivirus > Create Policy**.
+
+ 
+
+3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft
+ Defender Antivirus > Create**.
+
+4. Enter name and description, then select **Next**.
+
+ 
+
+5. In the **Configuration settings page**: Set the configurations you require for
+ Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time
+ Protection, and Remediation).
+
+ 
+
+6. Add scope tags if necessary, then select **Next**.
+
+ 
+
+7. Select groups to include, assign to your test group, then select **Next**.
+
+ 
+
+8. Review and create, then select **Create**.
+
+ 
+
+9. You'll see the configuration policy you created.
+
+ 
+
+### Attack Surface Reduction – Attack surface reduction rules
+
+1. Open the MEM portal.
+
+2. Navigate to **Endpoint security > Attack surface reduction**.
+
+3. Select **Create Policy**.
+
+4. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction
+ rules > Create**.
+
+ 
+
+5. Enter a name and description, then select **Next**.
+
+ 
+
+6. In the **Configuration settings page**: Set the configurations you require for
+ Attack surface reduction rules, then select **Next**.
+
+ >[!NOTE]
+ >We will be configuring all of the Attack surface reduction rules to Audit.
+
+ For more information, see [Attack surface reduction rules](attack-surface-reduction.md).
+
+ 
+
+7. Add Scope Tags as required, then select **Next**.
+
+ 
+
+8. Select groups to include and assign to test group, then select **Next**.
+
+ 
+
+9. Review the details, then select **Create**.
+
+ 
+
+10. View the policy.
+
+ 
+
+### Attack Surface Reduction – Web Protection
+
+1. Open the MEM portal.
+
+2. Navigate to **Endpoint security > Attack surface reduction**.
+
+3. Select **Create Policy**.
+
+4. Select **Windows 10 and Later – Web protection > Create**.
+
+ 
+
+5. Enter a name and description, then select **Next**.
+
+ 
+
+6. In the **Configuration settings page**: Set the configurations you require for
+ Web Protection, then select **Next**.
+
+ >[!NOTE]
+ >We are configuring Web Protection to Block.
+
+ For more information, see [Web Protection](web-protection-overview.md).
+
+ 
+
+7. Add **Scope Tags as required > Next**.
+
+ 
+
+8. Select **Assign to test group > Next**.
+
+ 
+
+9. Select **Review and Create > Create**.
+
+ 
+
+10. View the policy.
+
+ 
+
+## Validate configuration settings
+
+
+### Confirm Policies have been applied
+
+
+Once the Configuration policy has been assigned, it will take some time to apply.
+
+For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+
+To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy.
+
+1. Open the MEM portal and navigate to the relevant policy as shown in the
+ steps above. The following example shows the next generation protection settings.
+
+ 
+
+2. Select the **Configuration Policy** to view the policy status.
+
+ 
+
+3. Select **Device Status** to see the status.
+
+ 
+
+4. Select **User Status** to see the status.
+
+ 
+
+5. Select **Per-setting status** to see the status.
+
+ >[!TIP]
+ >This view is very useful to identify any settings that conflict with another policy.
+
+ 
+
+### Endpoint detection and response
+
+
+1. Before applying the configuration, the Microsoft Defender ATP
+ Protection service should not be started.
+
+ 
+
+2. After the configuration has been applied, the Microsoft Defender ATP
+ Protection Service should be started.
+
+ 
+
+3. After the services are running on the device, the device appears in Microsoft
+ Defender Security Center.
+
+ 
+
+### Next-generation protection
+
+1. Before applying the policy on a test device, you should be able to manually
+ manage the settings as shown below.
+
+ 
+
+2. After the policy has been applied, you should not be able to manually manage
+ the settings.
+
+ >[!NOTE]
+ > In the following image **Turn on cloud-delivered protection** and
+ **Turn on real-time protection** are being shown as managed.
+
+ 
+
+### Attack Surface Reduction – Attack surface reduction rules
+
+
+1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`.
+
+2. This should respond with the following lines with no content:
+
+ AttackSurfaceReductionOnlyExclusions:
+
+ AttackSurfaceReductionRules_Actions:
+
+ AttackSurfaceReductionRules_Ids:
+
+ 
+
+3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`.
+
+4. This should respond with the following lines with content as shown below:
+
+ 
+
+### Attack Surface Reduction – Web Protection
+
+1. On the test device, open a PowerShell Windows and type
+ `(Get-MpPreference).EnableNetworkProtection`.
+
+2. This should respond with a 0 as shown below.
+
+ 
+
+3. After applying the policy, open a PowerShell Windows and type
+ `(Get-MpPreference).EnableNetworkProtection`.
+
+4. This should respond with a 1 as shown below.
+
+ 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
index 3c3850da7f..7052df6942 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create a notification rule when a local onboarding or offboarding script is used
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index 557c918348..feeca610db 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -19,6 +19,9 @@ ms.topic: article
---
# Onboard to the Microsoft Defender ATP service
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -51,343 +54,21 @@ You are currently in the onboarding phase.
-To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
+To deploy Microsoft Defender ATP, you'll need to onboard devices to the service.
-The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment.
+Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
-This article will guide you on:
-- Setting up Microsoft Endpoint Configuration Manager
+After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
+
+
+This article provides resources to guide you on:
+- Using various management tools to onboard devices
+ - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
+ - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
- Endpoint detection and response configuration
- Next-generation protection configuration
- Attack surface reduction configuration
-## Onboarding using Microsoft Endpoint Configuration Manager
-### Collection creation
-To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
-deployment can target either and existing collection or a new collection can be
-created for testing. The onboarding like group policy or manual method does
-not install any agent on the system. Within the Configuration Manager console
-the onboarding process will be configured as part of the compliance settings
-within the console. Any system that receives this required configuration will
-maintain that configuration for as long as the Configuration Manager client
-continues to receive this policy from the management point. Follow the steps
-below to onboard systems with Configuration Manager.
-
-1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
-
- 
-
-2. Right Click **Device Collection** and select **Create Device Collection**.
-
- 
-
-3. Provide a **Name** and **Limiting Collection**, then select **Next**.
-
- 
-
-4. Select **Add Rule** and choose **Query Rule**.
-
- 
-
-5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
-
- 
-
-6. Select **Criteria** and then choose the star icon.
-
- 
-
-7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
-
- 
-
-8. Select **Next** and **Close**.
-
- 
-
-9. Select **Next**.
-
- 
-
-After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
-
-## Endpoint detection and response
-### Windows 10
-From within the Microsoft Defender Security Center it is possible to download
-the '.onboarding' policy that can be used to create the policy in System Center Configuration
-Manager and deploy that policy to Windows 10 devices.
-
-1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
-
-
-
-2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
-
- 
-
-3. Select **Download package**.
-
- 
-
-4. Save the package to an accessible location.
-5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
-
-6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
-
- 
-
-7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
-
- 
-
-8. Click **Browse**.
-
-9. Navigate to the location of the downloaded file from step 4 above.
-
-10. Click **Next**.
-11. Configure the Agent with the appropriate samples (**None** or **All file types**).
-
- 
-
-12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
-
- 
-
-14. Verify the configuration, then click **Next**.
-
- 
-
-15. Click **Close** when the Wizard completes.
-
-16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
-
- 
-
-17. On the right panel, select the previously created collection and click **OK**.
-
- 
-
-
-### Previous versions of Windows Client (Windows 7 and Windows 8.1)
-Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
-
-1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
-
-2. Under operating system choose **Windows 7 SP1 and 8.1**.
-
-3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
-
- 
-
-4. Install the Microsoft Monitoring Agent (MMA).
- MMA is currently (as of January 2019) supported on the following Windows Operating
- Systems:
-
- - Server SKUs: Windows Server 2008 SP1 or Newer
-
- - Client SKUs: Windows 7 SP1 and later
-
- The MMA agent will need to be installed on Windows devices. To install the
- agent, some systems will need to download the [Update for customer experience
- and diagnostic
- telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- in order to collect the data with MMA. These system versions include but may not
- be limited to:
-
- - Windows 8.1
-
- - Windows 7
-
- - Windows Server 2016
-
- - Windows Server 2012 R2
-
- - Windows Server 2008 R2
-
- Specifically, for Windows 7 SP1, the following patches must be installed:
-
- - Install
- [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
- - Install either [.NET Framework
- 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
- later) **or**
- [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
- Do not install both on the same system.
-
-5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
-
-Once completed, you should see onboarded endpoints in the portal within an hour.
-
-## Next generation protection
-Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
-
- 
-
-2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
-
- 
-
- In certain industries or some select enterprise customers might have specific
-needs on how Antivirus is configured.
-
-
- [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
-
- For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
-
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
-3. Right-click on the newly created antimalware policy and select **Deploy**.
-
- 
-
-4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured Windows
-Defender Antivirus.
-
-## Attack surface reduction
-The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
-Protection.
-
-All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
-
-To set ASR rules in Audit mode:
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-
-2. Select **Attack Surface Reduction**.
-
-
-3. Set rules to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard policy by clicking on **Next**.
-
- 
-
-
-5. Once the policy is created click **Close**.
-
- 
-
-
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured ASR rules in audit mode.
-
-Below are additional steps to verify whether ASR rules are correctly applied to
-endpoints. (This may take few minutes)
-
-
-1. From a web browser, navigate to .
-
-2. Select **Configuration management** from left side menu.
-
-3. Click **Go to attack surface management** in the Attack surface management panel.
-
- 
-
-4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
-
- 
-
-5. Click each device shows configuration details of ASR rules.
-
- 
-
-See [Optimize ASR rule deployment and
-detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
-
-
-### To set Network Protection rules in Audit mode:
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-2. Select **Network protection**.
-
-3. Set the setting to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard Policy by clicking **Next**.
-
- 
-
-5. Once the policy is created click on **Close**.
-
- 
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Select the policy to the newly created Windows 10 collection and choose **OK**.
-
- 
-
-After completing this task, you now have successfully configured Network
-Protection in audit mode.
-
-### To set Controlled Folder Access rules in Audit mode:
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-2. Select **Controlled folder access**.
-
-3. Set the configuration to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard Policy by clicking on **Next**.
-
- 
-
-5. Once the policy is created click on **Close**.
-
- 
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
- 
-
-You have now successfully configured Controlled folder access in audit mode.
-
+## Related topics
+- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
+- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 820cf2766f..3996f745b3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -21,6 +21,9 @@ ms.topic: conceptual
# Overview of attack surface reduction
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
index c98c0a6c38..a6bc0dc2a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
@@ -18,22 +18,22 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
-
# Custom detections overview
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
+With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions.
-Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Custom detections provide:
- Alerts for rule-based detections built from advanced hunting queries
- Automatic response actions that apply to files and devices
->[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## Related topic
-- [Create and manage custom detection rules](custom-detection-rules.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
\ No newline at end of file
+## Related topics
+- [Create detection rules](custom-detection-rules.md)
+- [View and manage detection rules](custom-detections-manage.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
index ed39a6eb0e..4c1e39e0e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Overview of endpoint detection and response
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
index 7b7ae31f81..cf352dd917 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
@@ -19,6 +19,9 @@ ms.date: 09/07/2018
# Hardware-based isolation in Windows 10
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender ATP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
index ee58dab8f6..40d005db5a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
---
# Partner applications in Microsoft Defender ATP
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -29,10 +32,83 @@ Microsoft Defender ATP supports third-party applications to help enhance the det
The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
-Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems.
+Microsoft Defender ATP seamlessly integrates with existing security solutions — providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems.
+
+## Supported applications
+
+
+### Security information and analytics
+
+Logo |Partner name | Description
+:---|:---|:---
+| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Microsoft Defender ATP is configured properly by launching continuous attacks safely on production assets
+| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender Advanced Threat Protection into Azure Sentinel
+ | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Microsoft Defender ATP findings with simulated attacks to validate accurate detection and effective response actions
+ | [Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303) | Elastic Security is a free and open solution for preventing, detecting, and responding to threats
+ | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Microsoft Defender ATP
+ | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Microsoft Defender ATP detections
+ | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Microsoft Defender ATP Alerts to RSA NetWitness leveraging Microsoft Graph Security API
+ | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Microsoft Defender ATP security events that are automatically correlated with SafeBreach simulations
+ | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network and threat context to uncover your riskiest vulnerabilities
+ | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Microsoft Defender ATP Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk
+ | [XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700) | Prioritize your response to an alert based on risk factors and high value assets
+
+### Orchestration and automation
+
+
+Logo |Partner name | Description
+:---|:---|:---
+ | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Microsoft Defender ATP to automate customers' high-speed incident response playbooks
+ | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Microsoft Defender ATP with its cloud-native SOAR platform, ActiveEye.
+ | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Microsoft Defender ATP to enable security teams to orchestrate and automate endpoint security monitoring, enrichment and response
+ | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Microsoft Defender ATP connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
+ | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Microsoft Defender ATP to accelerate, streamline, and integrate your time-intensive security processes
+ | [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621) | Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration
+ | [Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902) | Maximize incident response capabilities utilizing Swimlane and Microsoft Defender ATP together
+
+
+### Threat intelligence
+
+Logo |Partner name | Description
+:---|:---|:---
+ | [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543) | Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Microsoft Defender ATP environment
+ | [Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582) | Enrich your endpoint protection by extending Autofocus and other threat feeds to Microsoft Defender ATP using MineMeld
+ | [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115) | Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Microsoft Defender ATP indicators
+
+
+
+### Network security
+Logo |Partner name | Description
+:---|:---|:---
+ | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Microsoft Defender ATP is installed and updated on each endpoint before allowing access to the network
+ | [Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2104613) | Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection
+ | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Microsoft Defender ATP environment
+ |[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)| Vectra applies AI & security research to detect and respond to cyber-attacks in real time
+
+
+### Cross platform
+Logo |Partner name | Description
+:---|:---|:---
+| [Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)| Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats
+ | [Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)| AI based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy
+| [Corrata](https://go.microsoft.com/fwlink/?linkid=2081148) | Mobile solution — Protect your mobile devices with granular visibility and control from Corrata
+| [Lookout](https://go.microsoft.com/fwlink/?linkid=866935)| Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
+ | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect and prevent security threats and vulnerabilities on mobile devices
+| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Microsoft Defender ATP to iOS and Android with Machine Learning-based Mobile Threat Defense
+
+
+## Additional integrations
+Logo |Partner name | Description
+:---|:---|:---
+| [Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)| Enhance your Microsoft Defender ATP with advanced Web Filtering
+| [Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)| Provides Moving Target Defense-powered advanced threat prevention and integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information
+| [THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)| Provides on-demand live forensics scans using a signature base with focus on persistent threats
+
+
+
## SIEM integration
-Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
+Microsoft Defender ATP supports SIEM integration through a variety of methods — specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
## Ticketing and IT service management
Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API.
@@ -45,7 +121,7 @@ Microsoft Defender ATP offers unique automated investigation and remediation cap
Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert - with the real process and the full story of attack.
+External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert — with the real process and the full story of attack.
## Indicators matching
You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
@@ -55,4 +131,4 @@ Microsoft Defender ATP allows you to integrate with such solutions and act on Io
Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.
## Support for non-Windows platforms
-Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data giving you a unified experience.
+Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
index 188a26d5b7..7c6e64db5c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Microsoft Defender ATP partner opportunities and scenarios
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -52,4 +55,4 @@ The above scenarios serve as examples of the extensibility of the platform. You
Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP.
## Related topic
-- [Overview of management and APIs](management-apis.md)
\ No newline at end of file
+- [Overview of management and APIs](management-apis.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 2b28898f2c..f8d7446a76 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender Security Center portal overview
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index 5e1fd0cad0..7525f68b6e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -1,6 +1,6 @@
---
title: Submit or Update Indicator API
-description: Use this API to submit or Update Indicator.
+description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, submit, ti, indicator, update
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Submit or Update Indicator API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
deleted file mode 100644
index dd83d08373..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ /dev/null
@@ -1,213 +0,0 @@
----
-title: Create and build Power BI reports using Microsoft Defender ATP data connectors
-description: Get security insights by creating and building Power BI dashboards using data from Microsoft Defender ATP and other data sources.
-keywords: settings, power bi, power bi service, power bi desktop, reports, dashboards, connectors, security insights, mashup
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.author: macapara
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-
-# Create and build Power BI reports using Microsoft Defender ATP data connectors (Deprecated)
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->[!WARNING]
->This connector is being deprecated, learn how to [Create Power-BI reports using Microsoft Defender ATP APIs](api-power-bi.md).
-
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
-
-Understand the security status of your organization, including the status of devices, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI.
-
-Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access Microsoft Defender ATP data using Microsoft Graph.
-
-Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization.
-
-You can easily get started by:
-- Creating a dashboard on the Power BI service
-- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization
-
-You can access these options from Microsoft Defender Security Center. Both the Power BI service and Power BI Desktop are supported.
-
-## Create a Microsoft Defender ATP dashboard on Power BI service
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
-
-1. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
-
-2. Click **Create dashboard**.
-
- 
-
- You'll see a notification that things are being loaded.
-
- 
-
- >[!NOTE]
- >Loading your data in the Power BI service can take a few minutes.
-
-3. Specify the following details:
- - **extensionDataSourceKind**: WDATPConnector
- - **extensionDataSourcePath**: WDATPConnector
- - **Authentication method**: OAuth2
-
- 
-
-4. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
-
- 
-
-5. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
-
- 
-
- >[!NOTE]
- >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
-
- When importing data is completed and the dataset is ready, you’ll the following notification:
-
- 
-
-6. Click **View dataset** to explore your data.
-
-
-For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
-
-## Create a Power BI dashboard from the Power BI portal
-
-1. Login to [Power BI](https://powerbi.microsoft.com/).
-
-2. Click **Get Data**.
-
-3. Select **Microsoft AppSource** > **My Organization** > **Get**.
-
- 
-
-4. In the AppSource window, select **Apps** and search for Microsoft Defender Advanced Threat Protection.
-
- 
-
-5. Click **Get it now**.
-
-6. Specify the following details:
- - **extensionDataSourceKind**: WDATPConnector
- - **extensionDataSourcePath**: WDATPConnector
- - **Authentication method**: OAuth2
-
- 
-
-7. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
-
- 
-
-8. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
-
- 
-
- >[!NOTE]
- >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
-
- When importing data is completed and the dataset is ready, you’ll the following notification:
-
- 
-
-9. Click **View dataset** to explore your data.
-
-
-## Build a custom Microsoft Defender ATP dashboard in Power BI Desktop
-You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.
-
-### Before you begin
-1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
-
-2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
-
- 
-
-3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
-
- 
-
-4. Create a new directory `[Documents]\Power BI Desktop\Custom Connectors`.
-
-5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
-
-6. Open Power BI Desktop.
-
-7. Click **File** > **Options and settings** > **Custom data connectors**.
-
-8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
-
- > [!NOTE]
- > If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select *(Not Recommended) Allow any extension to load without warning* under **Power BI Desktop** > **File** > **Options and settings** > **Options** > **Security** > **Data Extensions**".
-
- >[!NOTE]
- >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
-
- 
-
-9. Restart Power BI Desktop.
-
-## Customize the Microsoft Defender ATP Power BI dashboard
-After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
-
-1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
-
-2. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
-
- 
-
-3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
-
-
-
-## Mashup Microsoft Defender ATP data with other data sources
-You can use Power BI Desktop to analyze data from Microsoft Defender ATP and mash that data up with other data sources to gain better security perspective in your organization.
-
-1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
-
-2. Click **Connect**.
-
-3. On the Preview Connector windows, click **Continue**.
-
-4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
-
- 
-
-5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
-
-6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
-
-7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
-
-8. Add visuals and select fields from the available data sources.
-
-## Using the Power BI reports
-There are a couple of tabs on the report that's generated:
-
-- Device and alerts
-- Investigation results and action center
-- Secure Score
-
-In general, if you know of a specific threat name, CVE, or KB, you can identify devices with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether device-level mitigations are configured correctly on the devices and prioritize those that might need attention.
-
-
-## Related topic
-- [Create custom Power BI reports](api-power-bi.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
index 586639ebc5..f5f432ad15 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure Microsoft Defender Security Center settings
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index 8e62b93b44..1217b7de99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -21,6 +21,9 @@ ms.topic: article
# Prepare Microsoft Defender ATP deployment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -174,7 +177,7 @@ how the endpoint security suite should be enabled.
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable device vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
-| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus. - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
+| Next-generation protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus. - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research. [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
index 5aef332edd..f031b9edd9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Turn on the preview experience in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -37,5 +40,4 @@ Turn on the preview experience setting to be among the first to try upcoming fea
- [Turn on advanced features in Microsoft Defender ATP](advanced-features.md)
- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications.md)
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md)
-- [Create and build Power BI reports](powerbi-reports.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 2586120da8..3e747e8768 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender ATP preview features
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -47,6 +50,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
+- [Microsoft Defender ATP for iOS](microsoft-defender-atp-ios.md) Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS.
- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
@@ -70,8 +74,6 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
-- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index dd1f0dfe6b..6e8ce89f59 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -21,6 +21,9 @@ ms.topic: article
# Set up Microsoft Defender ATP deployment
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index fce90c63c2..38400901cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -1,6 +1,6 @@
---
title: Pull Microsoft Defender ATP detections using REST API
-description: Pull detections from Microsoft Defender ATP REST API.
+description: Learn how call an Microsoft Defender ATP endpoint to pull detections in JSON format using the SIEM REST API.
keywords: detections, pull detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -19,6 +19,9 @@ ms.topic: article
# Pull Microsoft Defender ATP detections using SIEM REST API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index 82d8d9e9f6..8dfa3de26f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index 7ce30e67ff..136bd67acd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -19,6 +19,9 @@ ms.topic: article
# Configure Microsoft Defender ATP to stream Advanced Hunting events to your Storage account
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
index 1aabe438b0..70e5354db8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@@ -19,6 +19,9 @@ ms.topic: article
# Raw Data Streaming API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
index ed0050fd05..6b595daea4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Manage portal access using role-based access control
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- Azure Active Directory
- Office 365
@@ -72,4 +75,4 @@ Someone with a Microsoft Defender ATP Global administrator role has unrestricted
## Related topic
-- [Create and manage device groups in Microsoft Defender ATP](machine-groups.md)
\ No newline at end of file
+- [Create and manage device groups in Microsoft Defender ATP](machine-groups.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
index 11d05369ee..c094ae5bec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
@@ -1,59 +1,62 @@
----
-title: Recommendation methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Recommendation resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
-[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
-[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
-[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
-[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Recommendation ID
-productName | String | Related software name
-recommendationName | String | Recommendation name
-Weaknesses | Long | Number of discovered vulnerabilities
-Vendor | String | Related vendor name
-recommendedVersion | String | Recommended version
-recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
-subCategory | String | Recommendation sub-category
-severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
-publicExploit | Boolean | Public exploit is available
-activeAlert | Boolean | Active alert is associated with this recommendation
-associatedThreats | String collection | Threat analytics report is associated with this recommendation
-remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
-Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
-configScoreImpact | Double | Microsoft Secure Score for Devices impact
-exposureImpacte | Double | Exposure score impact
-totalMachineCount | Long | Number of installed devices
-exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
-nonProductivityImpactedAssets | Long | Number of devices which are not affected
-relatedComponent | String | Related software component
+---
+title: Recommendation methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Recommendation resource type
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
+[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
+[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
+[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
+[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Recommendation ID
+productName | String | Related software name
+recommendationName | String | Recommendation name
+Weaknesses | Long | Number of discovered vulnerabilities
+Vendor | String | Related vendor name
+recommendedVersion | String | Recommended version
+recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
+subCategory | String | Recommendation sub-category
+severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
+publicExploit | Boolean | Public exploit is available
+activeAlert | Boolean | Active alert is associated with this recommendation
+associatedThreats | String collection | Threat analytics report is associated with this recommendation
+remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
+Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
+configScoreImpact | Double | Microsoft Secure Score for Devices impact
+exposureImpacte | Double | Exposure score impact
+totalMachineCount | Long | Number of installed devices
+exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
+nonProductivityImpactedAssets | Long | Number of devices which are not affected
+relatedComponent | String | Related software component
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 9f59dc9622..cad6f89bbe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -19,6 +19,9 @@ ms.topic: article
# Take response actions on a file
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
index 6d56a12fd2..62ea654ded 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
@@ -19,6 +19,9 @@ ms.topic: article
# Take response actions on a device
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -38,7 +41,7 @@ Response actions run along the top of a specific device page and include:
- Consult a threat expert
- Action center
-
+[  ](images/response-actions.png#lightbox)
You can find device pages from any of the following views:
@@ -65,11 +68,11 @@ For more information on automated investigations, see [Overview of Automated inv
## Initiate Live Response Session
-Live response is a capability that gives you instantaneous access to a device using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
+Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — real time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
-For more information on live response, see [Investigate entities on devices using live response](live-response.md)
+For more information on live response, see [Investigate entities on devices using live response](live-response.md).
## Collect investigation package from devices
@@ -95,17 +98,17 @@ The package contains the following folders:
| Folder | Description |
|:---|:---------|
-|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device. NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
+|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device.
NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
|
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
-|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack. - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. - FirewallExecutionLog.txt and pfirewall.log |
+|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that might have been used to run an internal attack. - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. - FirewallExecutionLog.txt and pfirewall.log |
| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
-| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state. |
-| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically. |
-| Security event log| Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. NOTE: Open the event log file using Event viewer. |
-| Services| Contains a .CSV file which lists services and their states. |
-| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. Contains files for SMBInboundSessions and SMBOutboundSession. NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found. |
+| Processes| Contains a .CSV file listing the running processes, which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state. |
+| Scheduled tasks| Contains a .CSV file listing the scheduled tasks, which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically. |
+| Security event log| Contains the security event log, which contains records of login or logout activity, or other security-related events specified by the system's audit policy.
NOTE: Open the event log file using Event viewer.
|
+| Services| Contains a .CSV file that lists services and their states. |
+| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. Contains files for SMBInboundSessions and SMBOutboundSession.
NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found.
|
| System Information| Contains a SystemInformation.txt file which lists system information such as OS version and network cards. |
-| Temp Directories| Contains a set of text files that lists the files located in %Temp% for every user in the system. This can help to track suspicious files that an attacker may have dropped on the system. NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system. |
+| Temp Directories| Contains a set of text files that lists the files located in %Temp% for every user in the system. This can help to track suspicious files that an attacker may have dropped on the system.
NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.
|
| Users and Groups| Provides a list of files that each represent a group and its members. |
|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab |
| CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. |
@@ -124,6 +127,11 @@ One you have selected **Run antivirus scan**, select the scan type that you'd li
The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan.
+>[!NOTE]
+>When triggering a scan using Microsoft Defender ATP response action, Microsoft Defender antivirus 'ScanAvgCPULoadFactor' value still applies and limits the CPU impact of the scan.
+>If ScanAvgCPULoadFactor is not configured, the default value is a limit of 50% maximum CPU load during a scan.
+>For more information, see [configure-advanced-scan-types-microsoft-defender-antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus).
+
## Restrict app execution
In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
index c3c9a2b79a..f4b6552adb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
@@ -18,6 +18,9 @@ ms.topic: article
# Restrict app execution API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
index 4efc0b82c2..b956165700 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
@@ -18,6 +18,9 @@ ms.date: 5/1/2020
# Review alerts in Microsoft Defender Advanced Threat Protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -99,4 +102,4 @@ When making the move to the new alert page you will notice that we have centrali
- [View and organize the incidents queue](view-incidents-queue.md)
- [Investigate incidents](investigate-incidents.md)
-- [Manage incidents](manage-incidents.md)
\ No newline at end of file
+- [Manage incidents](manage-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 00040ec11f..a902dc094d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -1,7 +1,7 @@
---
title: Advanced Hunting API
ms.reviewer:
-description: Use the Advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection
+description: Learn to use the advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection. Find out about limitations and see an example.
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -19,6 +19,9 @@ ms.topic: article
# Advanced hunting API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -26,8 +29,9 @@ ms.topic: article
## Limitations
1. You can only run a query on data from the last 30 days.
2. The results will include a maximum of 100,000 rows.
-3. The number of executions is limited per tenant: up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day.
+3. The number of executions is limited per tenant: up to 10 calls per minute, 10 minutes of running time every hour and 4 hours of running time a day.
4. The maximal execution time of a single request is 10 minutes.
+5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index 87da20c0c1..00381d0550 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -18,6 +18,9 @@ ms.topic: article
---
# Advanced Hunting using PowerShell
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
index deacdfd079..282cc94d06 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
@@ -1,7 +1,7 @@
---
title: Advanced Hunting with Python API Guide
ms.reviewer:
-description: Learn the basics of querying the Microsoft Defender Advanced Threat Protection API, using Python.
+description: Learn how to query using the Microsoft Defender Advanced Threat Protection API, by using Python, with examples.
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -19,6 +19,9 @@ ms.topic: article
# Advanced Hunting using Python
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -146,4 +149,4 @@ outputFile.close()
## Related topic
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
\ No newline at end of file
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
index cc7fc6a3ce..1219b9aa21 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
@@ -18,6 +18,9 @@ ms.topic: article
# Run antivirus scan API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index 0d98b91181..257fb9494d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -19,6 +19,9 @@ ms.topic: article
# Run a detection test on a newly onboarded Microsoft Defender ATP device
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- Supported Windows 10 versions
- Windows Server 2012 R2
@@ -50,3 +53,4 @@ The Command Prompt window will close automatically. If successful, the detection
## Related topics
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard servers](configure-server-endpoints.md)
+- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
index bc8b673887..edeeea026b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@@ -1,40 +1,44 @@
----
-title: Score methods and properties
-description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
-keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Score resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
-[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
-[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-Score | Double | The current score.
-Time | DateTime | The date and time in which the call for this API was made.
-RbacGroupName | String | The device group name.
+---
+title: Score methods and properties
+description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
+keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Score resource type
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+
+Method |Return Type |Description
+:---|:---|:---
+[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
+[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
+[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
+
+## Properties
+
+Property | Type | Description
+:---|:---|:---
+Score | Double | The current score.
+Time | DateTime | The date and time in which the call for this API was made.
+RbacGroupName | String | The device group name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index 1fdb856b5d..608a4bedcf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Microsoft Defender Security Center Security operations dashboard
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
index 0caa79489b..b9325d8184 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
@@ -19,6 +19,9 @@ ms.topic: article
# Check the Microsoft Defender Advanced Threat Protection service health
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -26,7 +29,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
-The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
+The **Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
index 0853d1f0d8..514baa2899 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/software.md
@@ -1,49 +1,52 @@
----
-title: Software methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Software resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[List software](get-software.md) | Software collection | List the organizational software inventory.
-[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
-[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
-[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
-[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
-[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | Software ID
-Name | String | Software name
-Vendor | String | Software vendor name
-Weaknesses | Long | Number of discovered vulnerabilities
-publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
-activeAlert | Boolean | Active alert is associated with this software
-exposedMachines | Long | Number of exposed devices
-impactScore | Double | Exposure score impact of this software
+---
+title: Software methods and properties
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Software resource type
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+
+Method |Return Type |Description
+:---|:---|:---
+[List software](get-software.md) | Software collection | List the organizational software inventory.
+[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
+[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
+[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
+[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
+[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
+
+## Properties
+
+Property | Type | Description
+:---|:---|:---
+id | String | Software ID
+Name | String | Software name
+Vendor | String | Software vendor name
+Weaknesses | Long | Number of discovered vulnerabilities
+publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
+activeAlert | Boolean | Active alert is associated with this software
+exposedMachines | Long | Number of exposed devices
+impactScore | Double | Exposure score impact of this software
diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
index 2bdc3f389c..60c046ee70 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
@@ -1,6 +1,6 @@
---
title: Stop and quarantine file API
-description: Use this API to stop and quarantine file.
+description: Learn how to stop running a file on a device and delete the file in Microsoft Defender Advanced Threat Protection. See an example.
keywords: apis, graph api, supported apis, stop and quarantine file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Stop and quarantine file API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
index 1858d780e2..2fa6615e6a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Supported Microsoft Defender ATP query APIs
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
index 9e26a9fef5..d836b3c2a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
@@ -1,6 +1,6 @@
---
title: Migrate from Symantec to Microsoft Defender ATP
-description: Make the switch from Symantec to Microsoft Defender ATP
+description: Get an overview of how to make the switch from Symantec to Microsoft Defender ATP
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,11 +17,17 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
- m365solution-overview
-ms.topic: article
+ms.topic: conceptual
+ms.date: 09/04/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec to Microsoft Defender Advanced Threat Protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration.
## The migration process
@@ -40,7 +46,7 @@ In this migration guide, we focus on [next-generation protection](https://docs.m
| Feature/Capability | Description |
|---|---|
-| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
index 6c7c329a2e..442d022d8e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@@ -1,6 +1,6 @@
---
-title: Phase 3 - Onboard to Microsoft Defender ATP
-description: Make the switch from Symantec to Microsoft Defender ATP
+title: Symantec to Microsoft Defender ATP - Phase 3, Onboarding
+description: This is Phase 3, Onboarding, of migrating from Symantec to Microsoft Defender ATP
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,10 +17,16 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
+ms.date: 09/04/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
|[](symantec-to-microsoft-defender-atp-prepare.md) [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[](symantec-to-microsoft-defender-atp-setup.md) [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) | Phase 3: Onboard |
|--|--|--|
|| |*You are here!* |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
index 2a678e94e4..6159c4adbd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
@@ -1,6 +1,6 @@
---
-title: Phase 1 - Prepare for your migration to Microsoft Defender ATP
-description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration.
+title: Symantec to Microsoft Defender ATP - Phase 1, Preparing
+description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender ATP.
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,10 +17,16 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
+ms.date: 09/04/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 1: Prepare for your migration
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
| Phase 1: Prepare |[](symantec-to-microsoft-defender-atp-setup.md) [Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[](symantec-to-microsoft-defender-atp-onboard.md) [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
|*You are here!*| | |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index 692c6a9e61..c0601a22de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -1,6 +1,6 @@
---
-title: Phase 2 - Set up Microsoft Defender ATP
-description: Phase 2 - Set up Microsoft Defender ATP
+title: Symantec to Microsoft Defender ATP - Phase 2, Setting Up
+description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender ATP
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,10 +17,16 @@ ms.collection:
- M365-security-compliance
- m365solution-symantecmigrate
ms.topic: article
+ms.date: 09/04/2020
+ms.custom: migrationguides
+ms.reviewer: depicker, yongrhee, chriggs
---
# Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
|[](symantec-to-microsoft-defender-atp-prepare.md) [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) | Phase 2: Set up |[](symantec-to-microsoft-defender-atp-onboard.md) [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
|--|--|--|
||*You are here!* | |
@@ -102,7 +108,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
@@ -120,6 +126,9 @@ This step of the setup process involves adding Microsoft Defender ATP to the exc
During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list.
+> [!NOTE]
+> To get an idea of which processes and services to exclude, see Broadcom's [Processes and services used by Endpoint Protection 14](https://knowledge.broadcom.com/external/article/170706/processes-and-services-used-by-endpoint.html).
+
When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
- Path exclusions exclude specific files and whatever those files access.
- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
index 421805849d..caf55924e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
@@ -19,52 +19,90 @@ ms.topic: article
---
# Track and respond to emerging threats with threat analytics
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to quickly assess their security posture, covering the impact of emerging threats and their organizational resilience.
+With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:
-Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them.
+- Assess the impact of new threats
+- Review your resilience against or exposure to the threats
+- Identify the actions you can take to stop or contain the threats
-Watch this short video to quickly understand how threat analytics can help you track the latest threats and stop them.
+Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats, including:
+
+- Active threat actors and their campaigns
+- Popular and new attack techniques
+- Critical vulnerabilities
+- Common attack surfaces
+- Prevalent malware
+
+Each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable security updates and recommended settings in place.
+
+Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f]
## View the threat analytics dashboard
-The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports:
+The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It summarizes the threats in the following sections:
-- **Latest threats** — lists the most recently published threat reports, along with the number of devices with resolved and unresolved alerts.
-- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of devices that have had related alerts, along with the number of devices with resolved and unresolved alerts.
-- **Threat summary** — shows the number of threats among the threats reported in threat analytics with actual alerts.
+- **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts.
+- **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts.
+- **Threat summary**—shows the overall impact of all the threats reported in threat analytics by showing the number of threats with active and resolved alerts.
+
+Select a threat from the dashboard to view the report for that threat.
-Select a threat from any of the overviews or from the table to view the report for that threat.
-
## View a threat analytics report
-Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides mitigation recommendations and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat.
+Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**.
-
+### Quickly understand a threat and assess its impact to your network in the overview
-### Organizational impact
-Each report includes cards designed to provide information about the organizational impact of a threat:
-- **Devices with alerts** — shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
-- **Devices with alerts over time** — shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
+The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
-### Organizational resilience
-Each report also includes cards that provide an overview of how resilient your organization can be against a given threat:
-- **Security configuration status** — shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
-- **Vulnerability patching status** — shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
-- **Mitigation details** — lists specific actionable recommendations that can help you increase your organizational resilience. This card lists tracked mitigations, including recommended settings and vulnerability patches, along with the number of devices that don't have the mitigations in place.
+
+_Overview section of a threat analytics report_
-### Additional report details and limitations
+#### Organizational impact
+Each report includes charts designed to provide information about the organizational impact of a threat:
+- **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
+- **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
+
+#### Organizational resilience and exposure
+Each report includes charts that provide an overview of how resilient your organization is against a given threat:
+- **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
+- **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
+
+### Get expert insight from the analyst report
+Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
+
+
+_Analyst report section of a threat analytics report_
+
+### Review list of mitigations and the status of your devices
+In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes recommended settings and vulnerability patches. It also shows the number of devices that don't have these mitigations in place.
+
+Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.
+
+
+_Mitigations section of a threat analytics report_
+
+
+## Additional report details and limitations
When using the reports, keep the following in mind:
-- Data is scoped based on your RBAC permissions. You will only see the status of devices that you have been granted access to on the RBAC.
-- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not reflected in the charts.
+- Data is scoped based on your role-based access control (RBAC) scope. You will see the status of devices in [groups that you can access](machine-groups.md).
+- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
-- Devices are counted as "unavailable" if they have been unable to transmit data to the service.
-- Antivirus related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
+- Devices are counted as "unavailable" if they have not transmitted data to the service.
+- Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
+
+## Related topics
+- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
+- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
index c470a3566b..3ad5cff1e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Event timeline - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 87bf456ec8..9e981319a8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -19,6 +19,9 @@ ms.topic: article
# Scenarios - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
index 4f2f261f8a..a4691bc3cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Understand threat intelligence concepts
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
index 47a3571c4e..a8d1540ac2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@@ -1,7 +1,7 @@
---
title: Integrate Microsoft Defender ATP with other Microsoft solutions
ms.reviewer:
-description: Learn how Microsoft Defender ATP integrations with other Microsoft solutions
+description: Learn how Microsoft Defender ATP integrates with other Microsoft solutions, including Azure Advanced Threat Protection and Azure Security Center.
keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -20,6 +20,9 @@ ms.topic: conceptual
# Microsoft Defender ATP and other Microsoft solutions
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -63,4 +66,4 @@ The Skype for Business integration provides a way for analysts to communicate wi
- [Configure integration and other advanced features](advanced-features.md)
- [Microsoft Threat Protection overview](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
- [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
-- [Protect users, data, and devices with Conditional Access](conditional-access.md)
\ No newline at end of file
+- [Protect users, data, and devices with Conditional Access](conditional-access.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
index de32213341..3fff8e808b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
@@ -19,6 +19,9 @@ ms.topic: article
# Threat protection report in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -85,4 +88,4 @@ For example, to show data about high-severity alerts only:
3. Select **Apply**.
## Related topic
-- [Device health and compliance report](machine-reports.md)
\ No newline at end of file
+- [Device health and compliance report](machine-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
index 9c418be987..039703000c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
@@ -18,6 +18,9 @@ ms.topic: article
# Indicator resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -75,4 +78,4 @@ rbacGroupNames | List of strings | RBAC device group names where the indicator i
"lastUpdatedBy": null,
"rbacGroupNames": ["team1"]
}
-```
\ No newline at end of file
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
index 76487204a2..c2362f07ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
@@ -19,6 +19,9 @@ ms.topic: article
# Microsoft Defender Security Center time zone settings
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index 8f87ff3707..ba95b235f8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
@@ -20,6 +19,9 @@ ms.custom: asr
# Troubleshoot attack surface reduction rules
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index 882df03a74..2773899fc2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -1,9 +1,8 @@
---
title: Troubleshoot exploit protection mitigations
keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
-description: Remove unwanted Exploit protection mitigations.
+description: Learn how to deal with unwanted mitigations in Windows Security, including a process to remove all mitigations and import a baseline configuration file instead.
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Troubleshoot exploit protection mitigations
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -197,7 +199,6 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu
## Related topics
* [Protect devices from exploits](exploit-protection.md)
-* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
* [Evaluate exploit protection](evaluate-exploit-protection.md)
* [Enable exploit protection](enable-exploit-protection.md)
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
index b993541266..db3f3bee81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot Microsoft Defender Advanced Threat Protection live response issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
index 9c1e48b7e4..e044d0457b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot service issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.
## Server error - Access is denied due to invalid credentials
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index b435c4b723..f925f8ec6f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -3,7 +3,6 @@ title: Troubleshoot problems with Network protection
description: Resources and sample code to troubleshoot issues with Network protection in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -19,6 +18,9 @@ manager: dansimp
# Troubleshoot network protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
index 11ac7f37c9..42a3ad5d0b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot subscription and portal access issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index 2e1d1f2adb..d55165aaae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
index cc0b92af10..0ac32a5707 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
@@ -19,6 +19,9 @@ ms.topic: troubleshooting
# Troubleshoot SIEM tool integration issues
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 8c35924c4f..00d85e1d60 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Threat and vulnerability management dashboard insights
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -55,9 +58,9 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
-[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
+[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
-[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
+[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates).
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
## Threat and vulnerability management dashboard
@@ -68,12 +71,12 @@ Area | Description
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts, and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
-**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
+**Top security recommendations** | See the collated security recommendations that are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list. Select **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions.
**Top exposed devices** | View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device.
-See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal.
+For more information on the icons used throughout the portal, see [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons).
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index 19805c1e0b..28da6b8c57 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Exposure score - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -30,7 +33,7 @@ Your exposure score is visible in the [Threat and vulnerability management dashb
- Detect and respond to areas that require investigation or action to improve the current state.
- Communicate with peers and management about the impact of security efforts.
-The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
+The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart give you a visual indication of a high cybersecurity threat exposure that you can investigate further.
@@ -38,7 +41,7 @@ The card gives you a high-level view of your exposure score trend over time. Any
Threat and vulnerability management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats.
-The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+The exposure score is continuously calculated on each device in the organization. It is influenced by the following factors:
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
index 83e5537bff..ad687089f9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
@@ -1,6 +1,6 @@
---
title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center
-description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls
+description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls.
keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Microsoft Secure Score for Devices
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -35,12 +38,24 @@ Your score for devices is visible in the [threat and vulnerability management da
Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.
+## Turn on the Microsoft Secure Score connector
+
+Forward Microsoft Defender ATP signals, giving Microsoft Secure Score visibility into the device security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data.
+
+Changes might take up to a few hours to reflect in the dashboard.
+
+1. In the navigation pane, go to **Settings** > **Advanced features**
+
+2. Scroll down to **Microsoft Secure Score** and toggle the setting to **On**.
+
+3. Select **Save preferences**.
+
## How it works
>[!NOTE]
> Microsoft Secure Score for Devices currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
-The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
+The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process. It is aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
@@ -49,9 +64,9 @@ The data in the Microsoft Secure Score for Devices card is the product of meticu
## Improve your security configuration
-You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
+Improve your security configuration by remediating issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
+1. From the Microsoft Secure Score for Devices card in the threat and vulnerability management dashboard, select the one of the categories. You'll view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
@@ -59,15 +74,15 @@ You can improve your security configuration when you remediate issues from the s
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.
-4. **Submit request**. You will see a confirmation message that the remediation task has been created.
+4. **Submit request**. You'll see a confirmation message that the remediation task has been created.
5. Save your CSV file.
-6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
+6. Send a follow-up email to your IT Administrator and allow the time that you've allotted for the remediation to propagate in the system.
-7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your Microsoft Secure Score for Devices should increase.
+7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you've addressed won't be listed there anymore. Your Microsoft Secure Score for Devices should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index a94e2b07c4..3a45c885e5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Remediation activities and exceptions - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -26,7 +29,7 @@ ms.topic: conceptual
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
-After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks. You can create tasks through the integration with Microsoft Intune where remediation tickets are created.
Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
@@ -39,7 +42,7 @@ You can access the Remediation page a few different ways:
### Navigation menu
-Go to the threat and vulnerability management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
+Go to the threat and vulnerability management navigation menu and select **Remediation**. It will open the list of remediation activities and exceptions found in your organization.
### Top remediation activities in the dashboard
@@ -49,7 +52,7 @@ View **Top remediation activities** in the [threat and vulnerability management
## Remediation activities
-When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
+When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
@@ -66,8 +69,8 @@ The exceptions you've filed will show up in the **Remediation** page, in the **E
You can take the following actions on an exception:
-- Cancel - You can cancel the exceptions you've filed any time
-- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded
+- Cancel - You can cancel the exceptions you've filed anytime
+- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change. It adversely affects the exposure impact associated with a recommendation that had previously been excluded.
The following statuses will be a part of an exception:
@@ -89,7 +92,7 @@ The exception impact shows on both the Security recommendations page column and
### View exceptions in other places
-Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard to open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
+Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 3555d2490e..a64042be50 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -18,6 +18,9 @@ ms.topic: conceptual
---
# Security recommendations - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -28,13 +31,13 @@ ms.topic: conceptual
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.
-Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
+Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
## How it works
Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
-- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
- **Breach likelihood** - Your organization's security posture and resilience against threats
@@ -54,15 +57,15 @@ View related security recommendations in the following places:
### Navigation menu
-Go to the threat and vulnerability management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.
+Go to the threat and vulnerability management navigation menu and select **Security recommendations**. The page contains a list of security recommendations for the threats and vulnerabilities found in your organization.
### Top security recommendations in the threat and vulnerability management dashboard
-In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
+In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
-The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation.
+The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details.
## Security recommendations overview
@@ -74,7 +77,7 @@ The color of the **Exposed devices** graph changes as the trend changes. If the
### Icons
-Useful icons also quickly calls your attention to:
+Useful icons also quickly call your attention to:
-  possible active alerts
-  associated public exploits
-  recommendation insights
@@ -85,13 +88,13 @@ Select the security recommendation that you want to investigate or process.
-From the flyout, you can do any of the following:
+From the flyout, you can choose any of the following options:
-- **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
+- **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
- [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
-- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
+- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet.
>[!NOTE]
>When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer.
@@ -137,7 +140,7 @@ There are many reasons why organizations create exceptions for a recommendation.
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
-1. Select a security recommendation you would like create an exception for, and then **Exception options**.
+1. Select a security recommendation you would like to create an exception for, and then **Exception options**.
2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
@@ -171,30 +174,30 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
## Find and remediate software or software versions which have reached end-of-support (EOS)
-End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
-It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates.
+It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates.
-To find software or software versions which have reached end-of-support:
+To find software or software versions that are no longer supported:
1. From the threat and vulnerability management menu, navigate to **Security recommendations**.
2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
-3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
+3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
### List of versions and dates
-To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps:
+To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps:
-1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected.
+1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon.
-2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
+2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
@@ -202,7 +205,7 @@ To view a list of version that have reached end of support, or end or support so
-After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats.
+Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats.
## Related topics
@@ -217,4 +220,4 @@ After you have identified which software and software versions are vulnerable du
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index d0e00649f5..215f2fc19c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -1,6 +1,6 @@
---
title: Software inventory in threat and vulnerability management
-description: Microsoft Defender ATP threat and vulnerability management's software inventory page shows how many weaknesses and vulnerabilities have been detected in software.
+description: The software inventory page for Microsoft Defender ATP's threat and vulnerability management shows how many weaknesses and vulnerabilities have been detected in software.
keywords: threat and vulnerability management, microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -18,31 +18,34 @@ ms.topic: conceptual
---
# Software inventory - threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-The software inventory in threat and vulnerability management is a list of all the software in your organization, including details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
+The software inventory in threat and vulnerability management is a list of all the software in your organization. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.
## How it works
-In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md).
+In the field of discovery, we're leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md).
-Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
+Since it's real time, in a matter of minutes, you'll see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
## Navigate to the Software inventory page
-You can access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
+Access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md).
View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md).
## Software inventory overview
-The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
+The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can filter the list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support.
-Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
+Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
@@ -56,8 +59,8 @@ You can view software pages a few different ways:
A full page will appear with all the details of a specific software and the following information:
-- Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score
-- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices
+- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to your exposure score
+- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices
- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the devices that the software is installed on, and the specific versions of the software with the number of devices that have each version installed and number of vulnerabilities.
@@ -67,17 +70,17 @@ You can view software pages a few different ways:
We now show evidence of where we detected a specific software on a device from the registry, disk or both.
You can find it on any devices found in the [devices list](machines-view-overview.md) in a section called "Software Evidence."
-From the Microsoft Defender Security Center navigation panel, go to **Devices list** > select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
+From the Microsoft Defender Security Center navigation panel, go to the **Devices list**. Select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence.
## Report inaccuracy
-You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information.
+Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
1. Open the software flyout on the Software inventory page.
2. Select **Report inaccuracy**.
-3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
+3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details about the inaccuracy.
4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
index 381f126c5b..9c71a766be 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
@@ -1,58 +1,61 @@
----
-title: Supported operating systems and platforms for threat and vulnerability management
-description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for.
-keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
-search.appverid: met150
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-# Supported operating systems and platforms - threat and vulnerability management
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
-
->[!NOTE]
->The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
-
-Operating system | Security assessment support
-:---|:---
-Windows 7 | Operating System (OS) vulnerabilities
-Windows 8.1 | Not supported
-Windows 10 1607-1703 | Operating System (OS) vulnerabilities
-Windows 10 1709+ |Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-Windows Server 2008 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-Windows Server 2012 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-Windows Server 2016 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-Windows Server 2019 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
-MacOS | Not supported (planned)
-Linux | Not supported (planned)
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
+---
+title: Supported operating systems and platforms for threat and vulnerability management
+description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for.
+keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
+search.appverid: met150
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+# Supported operating systems and platforms - threat and vulnerability management
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+Before you begin, ensure that you meet the following operating system or platform requisites for threat and vulnerability management so the activities in your devices are properly accounted for.
+
+>[!NOTE]
+>The supported systems and platforms for threat and vulnerability management may be different from the [Minimum requirements for Microsoft Defender ATP](minimum-requirements.md) list.
+
+Operating system | Security assessment support
+:---|:---
+Windows 7 | Operating System (OS) vulnerabilities
+Windows 8.1 | Not supported
+Windows 10 1607-1703 | Operating System (OS) vulnerabilities
+Windows 10 1709+ |Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+Windows Server 2008 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+Windows Server 2012 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+Windows Server 2016 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+Windows Server 2019 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment
+macOS | Not supported (planned)
+Linux | Not supported (planned)
+
+## Related topics
+
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
+- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation and exception](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
+- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index d82ae3d95c..4f2cc260b4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -18,16 +18,20 @@ ms.topic: conceptual
---
# Weaknesses found by threat and vulnerability management
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-[!include[Prerelease information](../../includes/prerelease.md)]
-
Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
-The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
+
+>[!NOTE]
+>If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
@@ -52,13 +56,13 @@ Go to the threat and vulnerability management navigation menu and select **Weakn
1. Go to the global search drop-down menu.
2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.
-3. Select the CVE and a flyout panel opens up with more information, including the vulnerability description, details, threat insights, and exposed devices.
+3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices.
To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.
## Weaknesses overview
-If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you are not at risk.
+Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk.
@@ -69,10 +73,10 @@ View related breach and threat insights in the **Threat** column when the icons
>[!NOTE]
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon  and breach insight icon .
-The breach insights icon is highlighted if there is a vulnerability found in your organization.
+The breach insights icon is highlighted if there's a vulnerability found in your organization.
-The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories.
+The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there is a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.
@@ -88,11 +92,11 @@ The "OS Feature" category is shown in relevant scenarios.
### Top vulnerable software in the dashboard
-1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
+1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time.
-2. Select the software you want to investigate to go to a drill down page.
+2. Select the software you want to investigate to go to a drilldown page.
3. Select the **Discovered vulnerabilities** tab.
4. Select the vulnerability you want to investigate for more information on vulnerability details
@@ -116,19 +120,19 @@ View related weaknesses information in the device page.
#### CVE Detection logic
-Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source.
+Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. The new section is called "Detection Logic" (in any discovered vulnerability in the device page) and shows the detection logic and source.
-The "OS Feature" category is also shown in relevant scenarios. For example, a CVE affects devices that run a vulnerable OS, only if a specific OS component is enabled on these devices. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll attach this CVE only to the Windows Server 2019 devices with DNS capability enabled in their OS.
+The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS.
## Report inaccuracy
-You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.
+Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
1. Open the CVE on the Weaknesses page.
-2. Select **Report inaccuracy**.
-3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
+2. Select **Report inaccuracy** and a flyout pane will open.
+3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details.
4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.
## Related topics
@@ -144,4 +148,4 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
\ No newline at end of file
+- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
index 70c1aed086..c518418a7f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
@@ -19,6 +19,9 @@ ms.topic: article
# Release device from isolation API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
index 3b560772a9..50319acfe5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
@@ -18,6 +18,9 @@ ms.topic: article
# Remove app restriction API
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
index 38a2c6d170..9c9268711b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
@@ -1,6 +1,6 @@
---
title: Update alert entity API
-description: Update a Microsoft Defender ATP alert via this API.
+description: Learn how to update a Microsoft Defender ATP alert by using this API. You can update the status, determination, classification, and assignedTo properties.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -18,6 +18,9 @@ ms.topic: article
# Update alert
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md
index 3987410333..da8874d9ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# Overview of Microsoft Defender Security Center
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index d58c080f49..3e7673cab5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -19,6 +19,9 @@ ms.topic: article
# Create and manage roles for role-based access control
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -30,19 +33,21 @@ ms.topic: article
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
-1. In the navigation pane, select **Settings > Roles**.
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with a Security administrator or Global administrator role assigned.
-2. Select **Add item**.
+2. In the navigation pane, select **Settings > Roles**.
-3. Enter the role name, description, and permissions you'd like to assign to the role.
+3. Select **Add item**.
-4. Select **Next** to assign the role to an Azure AD Security group.
+4. Enter the role name, description, and permissions you'd like to assign to the role.
-5. Use the filter to select the Azure AD group that you'd like to add to this role to.
+5. Select **Next** to assign the role to an Azure AD Security group.
-6. **Save and close**.
+6. Use the filter to select the Azure AD group that you'd like to add to this role to.
-7. Apply the configuration settings.
+7. **Save and close**.
+
+8. Apply the configuration settings.
> [!IMPORTANT]
> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.
@@ -58,21 +63,22 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
- **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions
- **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities
-- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags.
+- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files
-- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups.
+- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups
> [!NOTE]
> This setting is only available in the Microsoft Defender ATP administrator (default) role.
-- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab.
+- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab
- **Live response capabilities**
- **Basic** commands:
- Start a live response session
- Perform read only live response commands on remote device (excluding file copy and execution
- **Advanced** commands:
- - Download a file from the remote device
+ - Download a file from the remote device via live response
+ - Download PE and non-PE files from the file page
- Upload a file to the remote device
- View a script from the files library
- Execute a script on the remote device from the files library
@@ -81,19 +87,27 @@ For more information on the available commands, see [Investigate devices using L
## Edit roles
-1. Select the role you'd like to edit.
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-2. Click **Edit**.
+2. In the navigation pane, select **Settings > Roles**.
-3. Modify the details or the groups that are assigned to the role.
+3. Select the role you'd like to edit.
-4. Click **Save and close**.
+4. Click **Edit**.
+
+5. Modify the details or the groups that are assigned to the role.
+
+6. Click **Save and close**.
## Delete roles
-1. Select the role you'd like to delete.
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-2. Click the drop-down button and select **Delete role**.
+2. In the navigation pane, select **Settings > Roles**.
+
+3. Select the role you'd like to delete.
+
+4. Click the drop-down button and select **Delete role**.
## Related topic
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md
index e895a9b146..e94dd0bb1d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user.md
@@ -18,6 +18,9 @@ ms.topic: article
# User resource type
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -25,4 +28,4 @@ ms.topic: article
Method|Return Type |Description
:---|:---|:---
[List User related alerts](get-user-related-alerts.md) | [alert](alerts.md) collection | List all the alerts that are associated with a [user](user.md).
-[List User related devices](get-user-related-machines.md) | [machine](machine.md) collection | List all the devices that were logged on by a [user](user.md).
\ No newline at end of file
+[List User related devices](get-user-related-machines.md) | [machine](machine.md) collection | List all the devices that were logged on by a [user](user.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
index 0a72f9fa7d..a1fa8c6d8a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
@@ -19,6 +19,9 @@ ms.topic: article
---
# View and organize the Microsoft Defender Advanced Threat Protection Incidents queue
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -49,7 +52,7 @@ Incident severity | Description
High (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on devices.
Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
-Informational (Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
+Informational (Grey) | Informational incidents might not be considered harmful to the network but might be good to keep track of.
## Assigned to
You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
@@ -65,16 +68,15 @@ Use this filter to show incidents that contain sensitivity labels.
## Incident naming
-To understand the incident's scope at-a-glance, automatic incident naming, currently in public preview, generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
+To understand the incident's scope at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
> [!NOTE]
-> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+> Incidents that existed prior the rollout of automatic incident naming will retain their name.
-Learn more about [turning on preview features](preview.md#turn-on-preview-features).
-## Related topics
+## See also
- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
- [Manage incidents](manage-incidents.md)
- [Investigate incidents](investigate-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
index 73aeb36a61..121df4f64b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
@@ -1,50 +1,53 @@
----
-title: Vulnerability methods and properties
-description: Retrieves vulnerability information
-keywords: apis, graph api, supported apis, get, vulnerability
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Vulnerability resource type
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
-[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
-[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Vulnerability ID
-Name | String | Vulnerability title
-Description | String | Vulnerability description
-Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
-cvssV3 | Double | CVSS v3 score
-exposedMachines | Long | Number of exposed devices
-publishedOn | DateTime | Date when vulnerability was published
-updatedOn | DateTime | Date when vulnerability was updated
-publicExploit | Boolean | Public exploit exists
-exploitVerified | Boolean | Exploit is verified to work
-exploitInKit | Boolean | Exploit is part of an exploit kit
-exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
-exploitUris | String collection | Exploit source URLs
+---
+title: Vulnerability methods and properties
+description: Retrieves vulnerability information
+keywords: apis, graph api, supported apis, get, vulnerability
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Vulnerability resource type
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+[!include[Prerelease information](../../includes/prerelease.md)]
+
+## Methods
+Method |Return Type |Description
+:---|:---|:---
+[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
+[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
+[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
+
+
+## Properties
+Property | Type | Description
+:---|:---|:---
+id | String | Vulnerability ID
+Name | String | Vulnerability title
+Description | String | Vulnerability description
+Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
+cvssV3 | Double | CVSS v3 score
+exposedMachines | Long | Number of exposed devices
+publishedOn | DateTime | Date when vulnerability was published
+updatedOn | DateTime | Date when vulnerability was updated
+publicExploit | Boolean | Public exploit exists
+exploitVerified | Boolean | Exploit is verified to work
+exploitInKit | Boolean | Exploit is part of an exploit kit
+exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
+exploitUris | String collection | Exploit source URLs
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index cc9c36fae9..21348865a8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -19,6 +19,9 @@ ms.topic: article
# Web content filtering
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -76,12 +79,23 @@ To add a new policy:
4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.
5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices.
+Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
+
>[!NOTE]
>If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
->ProTip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
+### Allow specific websites
-## Web content filtering cards and details
+It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question.
+
+1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**
+2. Enter the domain of the site
+3. Set the policy action to **Allow**.
+
+## Web content filtering
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+ cards and details
Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
@@ -93,7 +107,10 @@ In the first 30 days of using this feature, your organization might not have suf
-### Web content filtering summary card
+### Web content filtering
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+ summary card
This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
index 748fd7d9dc..bcceac7999 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
@@ -19,6 +19,9 @@ ms.topic: article
# Monitor web browsing security
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
index bd1b95e08a..717f128f7c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
@@ -19,6 +19,9 @@ ms.topic: article
# Web protection
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
index 6faacb1439..41fb1e22a8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
@@ -19,6 +19,9 @@ ms.topic: article
# Respond to web threats
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list.
@@ -68,4 +71,4 @@ With web protection in Microsoft Defender ATP, your end users will be prevented
- [Web protection overview](web-protection-overview.md)
- [Web content filtering](web-content-filtering.md)
- [Web threat protection](web-threat-protection.md)
-- [Monitor web security](web-protection-monitoring.md)
\ No newline at end of file
+- [Monitor web security](web-protection-monitoring.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
index 4be0e00f08..d9d063c82f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
@@ -19,6 +19,9 @@ ms.topic: article
# Protect your organization against web threats
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
@@ -42,4 +45,4 @@ To turn on network protection on your devices:
- [Web threat protection](web-threat-protection.md)
- [Monitor web security](web-protection-monitoring.md)
- [Respond to web threats](web-protection-response.md)
-- [Network protection](network-protection.md)
\ No newline at end of file
+- [Network protection](network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 906f92f4f8..e86131af5d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -19,6 +19,9 @@ ms.topic: conceptual
# What's new in Microsoft Defender ATP
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@@ -35,6 +38,8 @@ For more information preview features, see [Preview features](https://docs.micro
> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
> ```
+## September 2020
+- [Microsoft Defender ATP for Android](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android) Microsoft Defender ATP now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender ATP for Android.
## July 2020
- [Create indicators for certificates](manage-indicators.md) Create indicators to allow or block certificates.
@@ -139,7 +144,7 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe
- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
- - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/microsoft-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
+ - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.
- [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus) for Microsoft Defender Antivirus scans.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 4f0891df0c..3956891c0c 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -33,29 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
Description
-
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
-
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
Windows 10, Version 1607 and earlier: Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen
+
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
+
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
Windows 10, Version 1607 and earlier: Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen
At least Windows Server 2012, Windows 8 or Windows RT
This policy setting turns on Microsoft Defender SmartScreen.
If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).
If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.
If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.
-
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
-
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
-
Windows 10, version 1703
-
This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.
Important: Using a trustworthy browser helps ensure that these protections work as expected.
+
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
+
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
+
Windows 10, version 1703
+
This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.
Important: Using a trustworthy browser helps ensure that these protections work as expected.
-
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
Windows 10, Version 1607 and earlier: Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen
+
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
Windows 10, Version 1607 and earlier: Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen
Microsoft Edge on Windows 10 or later
This policy setting turns on Microsoft Defender SmartScreen.
If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.
If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.
If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.
-
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
Windows 10, Version 1511 and 1607: Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files
+
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
Windows 10, Version 1511 and 1607: Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files
Microsoft Edge on Windows 10, version 1511 or later
This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.
If you enable this setting, it stops employees from bypassing the warning, stopping the file download.
If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.
-
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
Windows 10, Version 1511 and 1607: Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites
+
Windows 10, version 2004: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
Windows 10, Version 1511 and 1607: Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites
Microsoft Edge on Windows 10, version 1511 or later
This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.
If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.
If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.
@@ -90,11 +90,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
Windows 10
-
URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
-
Data type. Integer
-
Allowed values:
-
0 . Turns off Microsoft Defender SmartScreen in Edge.
-
1. Turns on Microsoft Defender SmartScreen in Edge.
+
URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
+
Data type. Integer
+
Allowed values:
+
0 . Turns off Microsoft Defender SmartScreen in Edge.
+
1. Turns on Microsoft Defender SmartScreen in Edge.
@@ -102,11 +102,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
Windows 10, version 1703
-
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
-
Data type. Integer
-
Allowed values:
-
0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
-
1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
+
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
+
Data type. Integer
+
Allowed values:
+
0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
+
1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
@@ -114,11 +114,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
Windows 10, version 1703
-
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
-
Data type. Integer
-
Allowed values:
-
0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
-
1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
+
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
+
Data type. Integer
+
Allowed values:
+
0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
+
1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
@@ -126,11 +126,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
Windows 10, version 1703
-
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
-
Data type. Integer
-
Allowed values:
-
0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
-
1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
+
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
+
Data type. Integer
+
Allowed values:
+
0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
+
1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
@@ -138,11 +138,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
Windows 10, Version 1511 and later
-
URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
-
Data type. Integer
-
Allowed values:
-
0 . Employees can ignore Microsoft Defender SmartScreen warnings.
-
1. Employees can't ignore Microsoft Defender SmartScreen warnings.
+
URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
+
Data type. Integer
+
Allowed values:
+
0 . Employees can ignore Microsoft Defender SmartScreen warnings.
+
1. Employees can't ignore Microsoft Defender SmartScreen warnings.
@@ -150,11 +150,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
Windows 10, Version 1511 and later
-
URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
-
Data type. Integer
-
Allowed values:
-
0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
-
1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
+
URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
+
Data type. Integer
+
Allowed values:
+
0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
+
1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
@@ -170,19 +170,19 @@ To better help you protect your organization, we recommend turning on and using
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen
-
Enable. Turns on Microsoft Defender SmartScreen.
+
Enable. Turns on Microsoft Defender SmartScreen.
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
-
Enable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
+
Enable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
-
Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files.
+
Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files.
Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen
-
Enable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.
+
Enable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.
@@ -193,23 +193,23 @@ To better help you protect your organization, we recommend turning on and using
Browser/AllowSmartScreen
-
1. Turns on Microsoft Defender SmartScreen.
+
1. Turns on Microsoft Defender SmartScreen.
Browser/PreventSmartScreenPromptOverride
-
1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
+
1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
Browser/PreventSmartScreenPromptOverrideForFiles
-
1. Stops employees from ignoring warning messages and continuing to download potentially malicious files.
+
1. Stops employees from ignoring warning messages and continuing to download potentially malicious files.
SmartScreen/EnableSmartScreenInShell
-
1. Turns on Microsoft Defender SmartScreen in Windows.
Requires at least Windows 10, version 1703.
+
1. Turns on Microsoft Defender SmartScreen in Windows.
Requires at least Windows 10, version 1703.
SmartScreen/PreventOverrideForFilesInShell
-
1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.
Requires at least Windows 10, version 1703.
+
1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.
Requires at least Windows 10, version 1703.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 9bae1e6575..b39153d62c 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -1,6 +1,6 @@
---
title: Microsoft Defender SmartScreen overview (Windows 10)
-description: Conceptual info about Microsoft Defender SmartScreen.
+description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
ms.prod: w10
ms.mktglfcycl: explore
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 15bf8bc91c..eaef387dbf 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -311,9 +311,9 @@ The following table lists EMET features in relation to Windows 10 features.
-
Specific EMET features
-
How these EMET features map
-to Windows 10 features
+
Specific EMET features
+
How these EMET features map
+to Windows 10 features
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index d726f7ff56..905bf8c06a 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -351,7 +351,7 @@ The following table details the hardware requirements for both virtualization-ba
Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled
Required to support virtualization-based security.
-Note
Device Guard can be enabled without using virtualization-based security.
+Note
Device Guard can be enabled without using virtualization-based security.
@@ -533,7 +533,7 @@ If the TPM ownership is not known but the EK exists, the client library will pro
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
-> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
+> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
### Windows 10 Health Attestation CSP
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 9e241156a8..4941242b47 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -45,11 +45,13 @@ The Security Compliance Toolkit consists of:
- Microsoft 365 Apps for enterprise (Sept 2019)
- Microsoft Edge security baseline
- - Version 80
+ - Version 85
- Tools
- Policy Analyzer tool
- Local Group Policy Object (LGPO) tool
+ - Set Object Security tool
+ - GPO to PolicyRules tool
- Scripts
- Baseline-ADImport.ps1
@@ -81,3 +83,15 @@ It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the Set Object Security tool?
+
+SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc.). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
+
+Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the GPO to Policy Rules tool?
+
+Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download.
+
+Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
index 1b01a9d308..242f47b39f 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
@@ -81,16 +81,13 @@ None. Changes to this policy become effective without a device restart when they
### Safe mode considerations
-When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. If the computer is joined to a domain, the disabled administrator account is not enabled.
-If the administrator account is disabled, you can still access the computer by using safe mode with the current administrative credentials. For example, if a failure occurs using a secure channel with a domain-joined computer, and there is no other local administrator account, you must restart the device in safe mode to fix the failure.
+When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account is not enabled.
### How to access a disabled Administrator account
You can use the following methods to access a disabled Administrator account:
-- When there is only one local administrator account that is disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that computer.
-- When there are local administrator accounts in addition to the built-in account, start the computer in safe mode (locally or over a network), and sign in by using the credentials for the administrator account on that device. An alternate method is to sign in to Windows by using another local
-Administrator account that was created.
-- When multiple domain-joined servers have a disabled local Administrator account that can be accessed in safe mode, you can remotely run psexec by using the following command: **net user administrator /active: no**.
+- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
+- For domain-joined computers: remotely run the command **net user administrator /active: yes** by using psexec to enable the default local administrator account.
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index a41896c0f5..44ba58b22d 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -26,7 +26,7 @@ Describes the best practices, location, values, management, and security conside
## Reference
-This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more details, see [Microsoft Accounts](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts).
There are two options if this setting is enabled:
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index 98bcd11836..00e0451b37 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -61,7 +61,12 @@ This setting has these possible values:
This change makes this setting consistent with the functionality of the new **Privacy** setting.
To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
-- Blank.
+- **Domain and user names only**
+
+ For a domain logon only, the domain\username is displayed.
+ The **Privacy** setting is automatically on and grayed out.
+
+- **Blank**
Default setting.
This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**.
@@ -89,7 +94,7 @@ For all versions of Windows 10, only the user display name is shown by default.
If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
Users will not be able to show details.
-If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
+If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show additional details such as domain\username.
In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
Users will not be able to hide additional details.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index f5a0e5c08f..c93ec93b11 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -6,7 +6,6 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-ms.localizationpriority: medium
author: dansimp
ms.date: 09/17/2018
ms.reviewer:
@@ -91,9 +90,9 @@ In other words, the hotfix in each KB article provides the necessary code and fu
| |Default SDDL |Translated SDDL| Comments
|---|---|---|---|
-|Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
+|Windows Server 2016 (or later) domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
|Earlier domain controller |-|-|No access check is performed by default.|
-|Windows 10, version 1607 non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) DACL: • Revision: 0x02 • Size: 0x0020 • Ace Count: 0x001 • Ace[00]------------------------- AceType:0x00 (ACCESS\_ALLOWED_ACE_TYPE) AceSize:0x0018 InheritFlags:0x00 Access Mask:0x00020000 AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)
SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
+|Windows 10, version 1607 (or later) non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) DACL: • Revision: 0x02 • Size: 0x0020 • Ace Count: 0x001 • Ace[00]------------------------- AceType:0x00 (ACCESS\_ALLOWED_ACE_TYPE) AceSize:0x0018 InheritFlags:0x00 Access Mask:0x00020000 AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)
SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
|Earlier non-domain controller |-|-|No access check is performed by default.|
## Policy management
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 9fef84e4b2..14f67ae3d2 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -83,6 +83,8 @@ Set this policy to *Disabled* or don't configure this security policy for domain
If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices.
+Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
+
## Related topics
- [Security options](security-options.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 1a4b279e16..a8f8114e8a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -1,6 +1,7 @@
# [Application Control for Windows](windows-defender-application-control.md)
## [WDAC and AppLocker Overview](wdac-and-applocker-overview.md)
### [WDAC and AppLocker Feature Availability](feature-availability.md)
+### [Virtualization-based code integrity](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
## [WDAC design guide](windows-defender-application-control-design-guide.md)
@@ -9,6 +10,7 @@
#### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md)
#### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md)
#### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md)
+##### [Configure a WDAC managed installer](configure-wdac-managed-installer.md)
#### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
#### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
@@ -40,7 +42,8 @@
## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md)
-### [Understanding Application Control events](event-id-explanations.md)
+### [Understanding Application Control event IDs](event-id-explanations.md)
+### [Understanding Application Control event tags](event-tag-explanations.md)
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
## [AppLocker](applocker\applocker-overview.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index 7ac5a2faeb..1f35434f95 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -59,12 +59,12 @@ You can perform this task by using the Group Policy Management Console for an Ap
-
Use an installed packaged app as a reference
+
Use an installed packaged app as a reference
If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.
You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.
-
Use a packaged app installer as a reference
+
Use a packaged app installer as a reference
If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule.
Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule.
@@ -87,30 +87,30 @@ You can perform this task by using the Group Policy Management Console for an Ap
-
Applies to Any publisher
-
This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.
-
Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running.
+
Applies to Any publisher
+
This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.
+
Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running.
You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.
-
Applies to a specific Publisher
+
Applies to a specific Publisher
This scopes the rule to all apps published by a particular publisher.
You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.
-
Applies to a Package name
+
Applies to a Package name
This scopes the rule to all packages that share the publisher name and package name as the reference file.
You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.
-
Applies to a Package version
+
Applies to a Package version
This scopes the rule to a particular version of the package.
You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.
Applying custom values to the rule
-
Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance.
-
You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.
+
Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance.
+
You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index 3cac5abbce..c43cf96fee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -99,9 +99,9 @@ The following table provides an example of how to list applications for each bus
->Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
+>Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
-Event processing
+Event processing
As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
index 2f56b9e1e8..3e7f0169c7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -1,6 +1,6 @@
---
title: Maintain AppLocker policies (Windows 10)
-description: This topic describes how to maintain rules within AppLocker policies.
+description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index 90bf198903..35e51ee350 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -277,7 +277,7 @@ The following table is an example of what to consider and record.
-Policy maintenance policy
+Policy maintenance policy
When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
The following table is an example of what to consider and record.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 5bfe8d38ed..1d132ac242 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -131,7 +131,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
-Event processing policy
+Event processing policy
@@ -169,7 +169,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 7baf71b5df..a8bfeff845 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -119,7 +119,7 @@ If your organization supports multiple Windows operating systems, app control po
AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see Requirements to use AppLocker.
-Note
If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.
+Note
If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.
-Application control function differences
+Application control function differences
The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker.
@@ -141,7 +141,7 @@ The following table compares the application control functions of Software Restr
SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.
AppLocker policies apply only to those supported operating system versions and editions listed in Requirements to use AppLocker. But these systems can also use SRP.
-Note
Use different GPOs for SRP and AppLocker rules.
+Note
Use different GPOs for SRP and AppLocker rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
new file mode 100644
index 0000000000..b7f98f9949
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -0,0 +1,160 @@
+---
+title: Configure a WDAC managed installer (Windows 10)
+description: Explains how to configure a custom Manged Installer.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 08/14/2020
+---
+
+# Configuring a managed installer with AppLocker and Windows Defender Application Control
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2019
+
+Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled.
+There are three primary steps to keep in mind:
+
+- Specify managed installers by using the Managed Installer rule collection in AppLocker policy.
+- Enable service enforcement in AppLocker policy.
+- Enable the managed installer option in a WDAC policy.
+
+## Specify managed installers using the Managed Installer rule collection in AppLocker policy
+
+The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection.
+
+### Create Managed Installer rule collection
+
+Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
+
+1. Use [New-AppLockerPolicy](https://docs.microsoft.com/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
+
+ ```powershell
+ Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
+ ```
+
+2. Manually rename the rule collection to ManagedInstaller
+
+ Change
+
+ ```powershell
+
+ ```
+
+ to
+
+ ```powershell
+
+ ```
+
+An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+### Enable service enforcement in AppLocker policy
+
+Since many installation processes rely on services, it is typically necessary to enable tracking of services.
+Correct tracking of services requires the presence of at least one rule in the rule collection, so a simple audit only rule will suffice. This can be added to the policy created above which specifies your managed installer rule collection.
+
+For example:
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Enable the managed installer option in WDAC policy
+
+In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy.
+This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) with Option 13.
+
+Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option.
+
+1. Copy the DefaultWindows_Audit policy into your working folder from C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml
+
+2. Reset the policy ID to ensure it is in multiple policy format and give it a different GUID from the example policies. Also give it a friendly name to help with identification.
+
+ Ex.
+
+ ```powershell
+ Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID
+ ```
+
+3. Set Option 13 (Enabled:Managed Installer)
+
+ ```powershell
+ Set-RuleOption -FilePath -Option 13
+ ```
+
+## Set the AppLocker filter driver to autostart
+
+To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it.
+
+To do so, run the following command as an Administrator:
+
+```console
+appidtel.exe start [-mionly]
+```
+
+Specify `-mionly` if you will not use the Intelligent Security Graph (ISG).
+
+## Enabling managed installer logging events
+
+Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index a7e35f839e..da15b10af4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -3,9 +3,6 @@ title: Create a code signing cert for Windows Defender Application Control (Win
description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index f4ee690c02..bf44f8cd81 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 04/15/2020
+ms.date: 09/16/2020
---
# Use multiple Windows Defender Application Control Policies
@@ -24,7 +24,7 @@ ms.date: 04/15/2020
- Windows 10
- Windows Server 2016
-The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
+The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
1. Enforce and Audit Side-by-Side
- To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
@@ -44,7 +44,7 @@ The restriction of only having a single code integrity policy active on a system
- Multiple base policies: intersection
- Only applications allowed by both policies run without generating block events
- Base + supplemental policy: union
- - Files that are allowed by the base policy or the supplemental policy are not blocked
+ - Files that are allowed by either the base policy or the supplemental policy are not blocked
## Creating WDAC policies in Multiple Policy Format
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
index b1e6b39844..9b387d559d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@@ -1,6 +1,6 @@
---
title: Disable Windows Defender Application Control policies (Windows 10)
-description: This topic covers how to disable unsigned or signed WDAC policies.
+description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 965a842f19..444430a762 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -1,6 +1,6 @@
---
-title: Understanding Application Control events (Windows 10)
-description: Learn what different Windows Defender Application Control events signify.
+title: Understanding Application Control event IDs (Windows 10)
+description: Learn what different Windows Defender Application Control event IDs signify.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
@@ -21,8 +21,9 @@ ms.date: 3/17/2020
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
-1. Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
-2. Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+ - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+
+ - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs
@@ -30,7 +31,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
-| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
| 3099 | Indicates that a policy has been loaded |
## Microsoft Windows Applocker MSI and Script log event IDs
@@ -39,7 +40,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
| 8029 | Block script/MSI file |
-| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | |
+| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
@@ -70,11 +71,12 @@ Below are the fields which help to diagnose what a 3090, 3091, or 3092 event ind
In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
- ```powershell
- reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
- ```
-In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
+```powershell
+reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
+```
+
+In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
- ```powershell
- reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
- ```
+```powershell
+reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
+```
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
new file mode 100644
index 0000000000..455177e5c9
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -0,0 +1,83 @@
+---
+title: Understanding Application Control event tags (Windows 10)
+description: Learn what different Windows Defender Application Control event tags signify.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 8/27/2020
+---
+
+# Understanding Application Control event tags
+
+Windows Defender Application Control (WDAC) events include a number of fields which provide helpful troubleshooting information to figure out exactly what an event means. Below, we have documented the values and meanings for a few useful event tags.
+
+## SignatureType
+
+Represents the type of signature which verified the image.
+
+| SignatureType Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Unsigned or verification has not been attempted |
+| 1 | Embedded signature |
+| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
+| 5 | Successfully verified using an EA that informs CI which catalog to try first |
+|6 | AppX / MSIX package catalog verified |
+| 7 | File was verified |
+
+## ValidatedSigningLevel
+
+Represents the signature level at which the code was verified.
+
+| ValidatedSigningLevel Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Signing level has not yet been checked |
+| 1 | File is unsigned |
+| 2 | Trusted by WDAC policy |
+| 3 | Developer signed code |
+| 4 | Authenticode signed |
+| 5 | Microsoft Store signed app PPL (Protected Process Light) |
+| 6 | Microsoft Store-signed |
+| 7 | Signed by an Antimalware vendor whose product is using AMPPL |
+| 8 | Microsoft signed |
+| 11 | Only used for signing of the .NET NGEN compiler |
+| 12 | Windows signed |
+| 14 | Windows Trusted Computing Base signed |
+
+## VerificationError
+
+Represents why verification failed, or if it succeeded.
+
+| VerificationError Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Successfully verified signature |
+| 2 | File contains shared writable sections |
+| 4 | Revoked signature |
+| 5 | Expired signature |
+| 7 | Invalid root certificate |
+| 8 | Signature was unable to be validated; generic error |
+| 9 | Signing time not trusted |
+| 12 | Not valid for a PPL (Protected Process Light) |
+| 13 | Not valid for a PP (Protected Process) |
+| 15 | Failed WHQL check |
+| 16 | Default policy signing level not met |
+| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
+| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI |
+| 19 | Binary is revoked by file hash |
+| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy |
+| 21 | Failed to pass WDAC policy |
+| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
+| 23 | Invalid image hash |
+| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
+| 26 | Explicitly denied by WADC policy |
+| 28 | Resource page hash mismatch |
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 443397ada3..06d6ee7d8f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -24,38 +24,55 @@ ms.date: 04/09/2019
- Windows 10
- Windows Server 2016 and above
-Members of the security community\* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
+Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
- addinprocess.exe
- addinprocess32.exe
- addinutil.exe
+- aspnet_compiler.exe
- bash.exe
-- bginfo.exe[1]
+- bginfo.exe1
- cdb.exe
- csi.exe
- dbghost.exe
- dbgsvc.exe
- dnx.exe
+- dotnet.exe
- fsi.exe
- fsiAnyCpu.exe
+- infdefaultinstall.exe
- kd.exe
-- ntkd.exe
+- kill.exe
- lxssmanager.dll
-- msbuild.exe[2]
+- lxrun.exe
+- Microsoft.Build.dll
+- Microsoft.Build.Framework.dll
+- Microsoft.Workflow.Compiler.exe
+- msbuild.exe2
+- msbuild.dll
- mshta.exe
+- ntkd.exe
- ntsd.exe
+- powershellcustomhost.exe
- rcsi.exe
+- runscripthelper.exe
+- texttransform.exe
+- visualuiaverifynative.exe
- system.management.automation.dll
+- wfc.exe
- windbg.exe
- wmic.exe
+- wsl.exe
+- wslconfig.exe
+- wslhost.exe
-[1]A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
+1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
-[2]If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+2 If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
-*Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
+* Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
@@ -121,44 +138,45 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
+
-
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
@@ -859,48 +877,51 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
+
-
-
-
-
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 9c6d253b10..61a59f78bf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -1,6 +1,6 @@
---
title: Plan for WDAC policy management (Windows 10)
-description: How to plan for Windows Defender Application Control (WDAC) policy management.
+description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 3b0e313266..19bcd021e5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -30,10 +30,10 @@ This capability is supported beginning with Windows version 1607.
Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender ATP:
```
-MiscEvents
-| where EventTime > ago(7d) and
+DeviceEvents
+| where Timestamp > ago(7d) and
ActionType startswith "AppControl"
-| summarize Machines=dcount(ComputerName) by ActionType
+| summarize Machines=dcount(DeviceName) by ActionType
| order by Machines desc
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index e14032719c..134df74024 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -1,6 +1,6 @@
---
title: Understand WDAC policy rules and file rules (Windows 10)
-description: Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by using policies that specify whether a driver or application is trusted and can be run. A policy includes *policy rules* that control options.
+description: Learn how Windows Defender Application Control provides control over a computer running Windows 10 by using policies that include policy rules and file rules.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 266e60b744..ae0cd53f63 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -3,9 +3,7 @@ title: Understand Windows Defender Application Control policy design decisions
description: Understand Windows Defender Application Control policy design decisions.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -16,7 +14,6 @@ ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
-manager: dansimp
ms.date: 02/08/2018
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index 555168716a..f49176ee48 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -3,9 +3,6 @@ title: Use code signing to simplify application control for classic Windows appl
description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
index d050e42b00..766037be4b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -3,8 +3,6 @@ title: Use the Device Guard Signing Portal in the Microsoft Store for Business
description: You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
@@ -15,7 +13,6 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
manager: dansimp
ms.date: 02/19/2019
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 5bbcb531fa..f5a09fc5c6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -3,9 +3,6 @@ title: Use signed policies to protect Windows Defender Application Control again
description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index 43cc718d71..79a167e2a1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -3,7 +3,6 @@ title: Use a Windows Defender Application Control policy to control specific plu
description: WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.prod: w10
@@ -15,8 +14,6 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
ms.date: 05/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index f0c0979e51..d6810894b4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 06/13/2018
+ms.date: 08/14/2020
---
# Authorize apps deployed with a WDAC managed installer
@@ -24,136 +24,21 @@ ms.date: 06/13/2018
- Windows 10
- Windows Server 2019
-Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC).
-This is especially true for enterprises with large, ever changing software catalogs.
-
-Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager.
+Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
A managed installer helps an IT admin balance security and manageability requirements when employing application execution control policies by providing an option that does not require specifying explicit rules for software that is being managed through a software distribution solution.
## How does a managed installer work?
-A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment.
-Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies.
+A managed installer uses a new rule collection in AppLocker to specify one or more executables that are trusted by the organization as an authorized source for application deployment.
-Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy.
-If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.
+Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable's process (or processes it launches) as having originated from a trusted installation authority. The Managed Installer rule collection is currently supported for AppLocker rules in Group Policy and in Configuration Manager, but not in the AppLocker CSP for OMA-URI policies.
+
+Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.
Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer.
-Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps.
+An example managed installer use-case can be seen in the guidance for [creating a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md).
-## Configuring a managed installer with AppLocker and Windows Defender Application Control
-
-Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled.
-There are three primary steps to keep in mind:
-
-- Specify managed installers by using the Managed Installer rule collection in AppLocker policy.
-- Enable service enforcement in AppLocker policy.
-- Enable the managed installer option in a WDAC policy.
-
-### Specify managed installers using the Managed Installer rule collection in AppLocker policy
-
-The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection.
-Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
-
-An example of a valid Managed Installer rule collection is shown below.
-For more information about creating an AppLocker policy that includes a managed installer and configuring client devices, see [Simplify application listing with Configuration Manager and Windows 10](https://cloudblogs.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/).
-As mentioned above, the AppLocker CSP for OMA-URI policies does not currently support the Managed Installer rule collection or the Service Enforcement rule extensions mentioned below.
-
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Enable service enforcement in AppLocker policy
-
-Since many installation processes rely on services, it is typically necessary to enable tracking of services.
-Correct tracking of services requires the presence of at least one rule in the rule collection — a simple audit only rule will suffice.
-For example:
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-### Enable the managed installer option in WDAC policy
-
-In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy.
-This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption).
-An example of the managed installer option being set in policy is shown below.
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-## Set the AppLocker filter driver to autostart
-
-To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it.
-Run the following command as an Administrator:
-
-```console
-appidtel.exe start [-mionly]
-```
-
-Specify `-mionly` if you will not use the Intelligent Security Graph (ISG).
+Note that a WDAC policy with managed installer configured will begin to tag files which originated from that managed installer, regardless of whether the policy is in audit or enforced mode.
## Security considerations with managed installer
@@ -167,15 +52,12 @@ To avoid this, ensure that the application deployment solution being used as a m
## Known limitations with managed installer
-- Application execution control based on managed installer does not support applications that self-update.
+- Application execution control based on managed installer does not support applications that self-update/auto-update.
If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run.
Enterprises should deploy and install all application updates using the managed installer.
In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer.
Proper review for functionality and security should be performed for the application before using this method.
-- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments.
-Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode.
-
- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy.
- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
index 9ee20747b7..8a7ad0700f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
@@ -24,20 +24,22 @@ ms.date: 03/16/2020
- Windows 10
- Windows Server 2016 and above
-After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature.
+After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanced Threat Protection (MDATP) Advanced Hunting feature.
## WDAC Events Overview
-WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
+WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured.
WDAC events are generated under two locations:
-1. Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
-2. Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+ - Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+
+ - Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
## In this section
| Topic | Description |
| - | - |
-| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. |
+| [Understanding Application Control event IDs](event-id-explanations.md) | This topic explains the meaning of different WDAC event IDs. |
+| [Understanding Application Control event tags](event-tag-explanations.md) | This topic explains the meaning of different WDAC event tags. |
| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. |
diff --git a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
index 4ca95e5608..0533ec00f5 100644
--- a/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
+++ b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
@@ -1,5 +1,10 @@
-# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
+---
+ms.author: dansimp
+author: dansimp
+title: The Microsoft Defender Security Center app
+---
+# [The Microsoft Defender Security Center app](windows-defender-security-center.md)
## [Customize the Microsoft Defender Security Center app for your organization](wdsc-customize-contact-information.md)
## [Hide Microsoft Defender Security Center app notifications](wdsc-hide-notifications.md)
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 2ab6468f1e..3179f10cb2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -3,7 +3,6 @@ title: Account protection in the Windows Security app
description: Use the Account protection section to manage security for your account and sign in to Microsoft.
keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide, Windows Defender SmartScreen, SmartScreen Filter, Windows SmartScreen
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index 001c490193..bbfe0a7bd0 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -3,7 +3,6 @@ title: App & browser control in the Windows Security app
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index cb2c999276..1611fdc1c9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -3,7 +3,6 @@ title: Customize Windows Security contact information
description: Provide information to your employees on how to contact your IT department when a security issue occurs
keywords: wdsc, security center, defender, notification, customize, contact, it department, help desk, call, help site
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index d02b829376..ca606e3a6b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -3,7 +3,6 @@ title: Device & performance health in the Windows Security app
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
keywords: wdsc, windows update, storage, driver, device, installation, battery, health, status
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index 2acf81e5cf..26a2da094f 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -3,7 +3,6 @@ title: Device security in the Windows Security app
description: Use the Device security section to manage security built into your device, including virtualization-based security.
keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index d785a3f420..4886c28f4d 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -1,9 +1,8 @@
---
title: Family options in the Windows Security app
-description: Hide the Family options section in enterprise environments
+description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options are not intended for business environments.
keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 141a5c002f..4209ff2f58 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -3,11 +3,9 @@ title: Firewall and network protection in the Windows Security app
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 7210da90bf..e4ee0c83a3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -3,7 +3,6 @@ title: Hide notifications from the Windows Security app
description: Prevent Windows Security app notifications from appearing on user endpoints
keywords: defender, security center, app, notifications, av, alerts
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index df2646c94e..f3c4b5e3d9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -3,7 +3,6 @@ title: Virus and threat protection in the Windows Security app
description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 5431868198..b22eec75f4 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -1,9 +1,8 @@
---
title: Manage Windows Security in Windows 10 in S mode
-description: Windows Security settings are different in Windows 10 in S mode
+description: Learn how to manage Windows Security settings in Windows 10 in S mode. Windows 10 in S mode is streamlined for tighter security and superior performance.
keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 0f263a291a..a3bf04355b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -3,11 +3,9 @@ title: The Windows Security app
description: The Windows Security app brings together common Windows security features into one place
keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md
index e3271818c1..e5edff503e 100644
--- a/windows/security/threat-protection/windows-firewall/TOC.md
+++ b/windows/security/threat-protection/windows-firewall/TOC.md
@@ -1,110 +1,179 @@
# [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
-## [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
-## [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
-## [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
-## [Design Guide](windows-firewall-with-advanced-security-design-guide.md)
-### [Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
-### [Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-#### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
-#### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
-#### [Require Encryption](require-encryption-when-accessing-sensitive-network-resources.md)
-#### [Restrict Access](restrict-access-to-only-specified-users-or-devices.md)
-### [Mapping Goals to a Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-#### [Basic Design](basic-firewall-policy-design.md)
-#### [Domain Isolation Design](domain-isolation-policy-design.md)
-#### [Server Isolation Design](server-isolation-policy-design.md)
-#### [Certificate-based Isolation Design](certificate-based-isolation-policy-design.md)
-### [Evaluating Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
-#### [Basic Design Example](firewall-policy-design-example.md)
-#### [Domain Isolation Design Example](domain-isolation-policy-design-example.md)
-#### [Server Isolation Design Example](server-isolation-policy-design-example.md)
-#### [Certificate-based Isolation Design Example](certificate-based-isolation-policy-design-example.md)
-### [Designing a Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
-#### [Gathering the Info You Need](gathering-the-information-you-need.md)
-##### [Network](gathering-information-about-your-current-network-infrastructure.md)
-##### [Active Directory](gathering-information-about-your-active-directory-deployment.md)
-##### [Computers](gathering-information-about-your-devices.md)
-##### [Other Relevant Information](gathering-other-relevant-information.md)
-#### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
-### [Planning Your Design](planning-your-windows-firewall-with-advanced-security-design.md)
-#### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
-#### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
-##### [Exemption List](exemption-list.md)
-##### [Isolated Domain](isolated-domain.md)
-##### [Boundary Zone](boundary-zone.md)
-##### [Encryption Zone](encryption-zone.md)
-#### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
-#### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
+
+## [Plan deployment]()
+
+### [Design guide](windows-firewall-with-advanced-security-design-guide.md)
+
+### [Design process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+
+### [Implementation goals]()
+#### [Identify implementation goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+#### [Protect devices from unwanted network traffic](protect-devices-from-unwanted-network-traffic.md)
+#### [Restrict access to only trusted devices](restrict-access-to-only-trusted-devices.md)
+#### [Require encryption](require-encryption-when-accessing-sensitive-network-resources.md)
+#### [Restrict access](restrict-access-to-only-specified-users-or-devices.md)
+
+### [Implementation designs]()
+#### [Mapping goals to a design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+
+#### [Basic firewall design](basic-firewall-policy-design.md)
+##### [Basic firewall design example](firewall-policy-design-example.md)
+
+
+#### [Domain isolation design](domain-isolation-policy-design.md)
+##### [Domain isolation design example](domain-isolation-policy-design-example.md)
+
+
+#### [Server isolation design](server-isolation-policy-design.md)
+##### [Server Isolation design example](server-isolation-policy-design-example.md)
+
+
+#### [Certificate-based isolation design](certificate-based-isolation-policy-design.md)
+##### [Certificate-based Isolation design example](certificate-based-isolation-policy-design-example.md)
+
+### [Design planning]()
+#### [Planning your design](planning-your-windows-firewall-with-advanced-security-design.md)
+
+#### [Planning settings for a basic firewall policy](planning-settings-for-a-basic-firewall-policy.md)
+
+#### [Planning domain isolation zones]()
+##### [Domain isolation zones](planning-domain-isolation-zones.md)
+##### [Exemption list](exemption-list.md)
+##### [Isolated domain](isolated-domain.md)
+##### [Boundary zone](boundary-zone.md)
+##### [Encryption zone](encryption-zone.md)
+
+#### [Planning server isolation zones](planning-server-isolation-zones.md)
+
+#### [Planning certificate-based authentication](planning-certificate-based-authentication.md)
##### [Documenting the Zones](documenting-the-zones.md)
-##### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
-###### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
-###### [Planning Network Access Groups](planning-network-access-groups.md)
+
+##### [Planning group policy deployment for your isolation zones](planning-group-policy-deployment-for-your-isolation-zones.md)
+###### [Planning isolation groups for the zones](planning-isolation-groups-for-the-zones.md)
+###### [Planning network access groups](planning-network-access-groups.md)
+
###### [Planning the GPOs](planning-the-gpos.md)
####### [Firewall GPOs](firewall-gpos.md)
######## [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
-####### [Isolated Domain GPOs](isolated-domain-gpos.md)
+####### [Isolated domain GPOs](isolated-domain-gpos.md)
######## [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
######## [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
-####### [Boundary Zone GPOs](boundary-zone-gpos.md)
+####### [Boundary zone GPOs](boundary-zone-gpos.md)
######## [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
-####### [Encryption Zone GPOs](encryption-zone-gpos.md)
+####### [Encryption zone GPOs](encryption-zone-gpos.md)
######## [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
-####### [Server Isolation GPOs](server-isolation-gpos.md)
-###### [Planning GPO Deployment](planning-gpo-deployment.md)
-### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
-## [Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
-### [Planning to Deploy](planning-to-deploy-windows-firewall-with-advanced-security.md)
-### [Implementing Your Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
-### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
-### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
-### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
-### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
-### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
-### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
-#### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
-#### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
-#### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
-#### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
-### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
-#### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
-#### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
-### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
-### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
-#### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
-#### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
-#### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
-#### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
-#### [Configure Authentication Methods](configure-authentication-methods.md)
-#### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
-#### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
-#### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
-#### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
-#### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
-#### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
-#### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
-#### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
-#### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
-#### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
-#### [Create a Group Policy Object](create-a-group-policy-object.md)
-#### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
-#### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
-#### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
-#### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
-#### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
-#### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
-#### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
-#### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
-#### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
-#### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md)
-#### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
-#### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
-#### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
-#### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
-#### [Modify GPO Filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
-#### [Open IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
-#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md)
-#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-#### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md)
-#### [Restrict Server Access](restrict-server-access-to-members-of-a-group-only.md)
-#### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md)
-#### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md)
+####### [Server isolation GPOs](server-isolation-gpos.md)
+
+###### [Planning GPO deployment](planning-gpo-deployment.md)
+
+
+### [Planning to deploy](planning-to-deploy-windows-firewall-with-advanced-security.md)
+
+
+## [Deployment guide]()
+### [Deployment overview](windows-firewall-with-advanced-security-deployment-guide.md)
+
+### [Implementing your plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
+
+### [Basic firewall deployment]()
+#### [Checklist: Implementing a basic firewall policy design](checklist-implementing-a-basic-firewall-policy-design.md)
+
+
+
+### [Domain isolation deployment]()
+#### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+
+
+
+### [Server isolation deployment]()
+#### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
+
+
+
+### [Certificate-based authentication]()
+#### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
+
+
+
+## [Best practices]()
+### [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
+### [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+### [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
+
+
+## [How-to]()
+### [Add Production devices to the membership group for a zone](add-production-devices-to-the-membership-group-for-a-zone.md)
+### [Add test devices to the membership group for a zone](add-test-devices-to-the-membership-group-for-a-zone.md)
+### [Assign security group filters to the GPO](assign-security-group-filters-to-the-gpo.md)
+### [Change rules from request to require mode](Change-Rules-From-Request-To-Require-Mode.Md)
+### [Configure authentication methods](Configure-authentication-methods.md)
+### [Configure data protection (Quick Mode) settings](configure-data-protection-quick-mode-settings.md)
+### [Configure Group Policy to autoenroll and deploy certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+### [Configure key exchange (main mode) settings](configure-key-exchange-main-mode-settings.md)
+### [Configure the rules to require encryption](configure-the-rules-to-require-encryption.md)
+### [Configure the Windows Firewall log](configure-the-windows-firewall-log.md)
+### [Configure the workstation authentication certificate template](configure-the-workstation-authentication-certificate-template.md)
+### [Configure Windows Firewall to suppress notifications when a program is blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+### [Confirm that certificates are deployed correctly](confirm-that-certificates-are-deployed-correctly.md)
+### [Copy a GPO to create a new GPO](copy-a-gpo-to-create-a-new-gpo.md)
+### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
+### [Create a Group Policy Object](create-a-group-policy-object.md)
+### [Create an authentication exemption list rule](create-an-authentication-exemption-list-rule.md)
+### [Create an authentication request rule](create-an-authentication-request-rule.md)
+### [Create an inbound ICMP rule](create-an-inbound-icmp-rule.md)
+### [Create an inbound port rule](create-an-inbound-port-rule.md)
+### [Create an inbound program or service rule](create-an-inbound-program-or-service-rule.md)
+### [Create an outbound port rule](create-an-outbound-port-rule.md)
+### [Create an outbound program or service rule](create-an-outbound-program-or-service-rule.md)
+### [Create inbound rules to support RPC](create-inbound-rules-to-support-rpc.md)
+### [Create WMI filters for the GPO](create-wmi-filters-for-the-gpo.md)
+### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md)
+### [Enable predefined inbound rules](enable-predefined-inbound-rules.md)
+### [Enable predefined outbound rules](enable-predefined-outbound-rules.md)
+### [Exempt ICMP from authentication](exempt-icmp-from-authentication.md)
+### [Link the GPO to the domain](link-the-gpo-to-the-domain.md)
+### [Modify GPO filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+### [Open IP security policies](open-the-group-policy-management-console-to-ip-security-policies.md)
+### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md)
+### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md)
+### [Restrict server access](restrict-server-access-to-members-of-a-group-only.md)
+### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md)
+### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md)
+
+
+## [References]()
+### [Checklist: Creating Group Policy objects](checklist-creating-group-policy-objects.md)
+### [Checklist: Creating inbound firewall rules](checklist-creating-inbound-firewall-rules.md)
+### [Checklist: Creating outbound firewall rules](checklist-creating-outbound-firewall-rules.md)
+### [Checklist: Configuring basic firewall settings](checklist-configuring-basic-firewall-settings.md)
+
+
+### [Checklist: Configuring rules for the isolated domain](checklist-configuring-rules-for-the-isolated-domain.md)
+### [Checklist: Configuring rules for the boundary zone](checklist-configuring-rules-for-the-boundary-zone.md)
+### [Checklist: Configuring rules for the encryption zone](checklist-configuring-rules-for-the-encryption-zone.md)
+### [Checklist: Configuring rules for an isolated server zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
+
+### [Checklist: Configuring rules for servers in a standalone isolated server zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
+### [Checklist: Creating rules for clients of a standalone isolated server zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
+
+
+### [Appendix A: Sample GPO template files for settings used in this guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+
+
+
+## [Troubleshooting]()
+### [Troubleshooting UWP app connectivity issues in Windows Firewall](troubleshooting-uwp-firewall.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
index d74524355b..32918a0147 100644
--- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -1,6 +1,6 @@
---
title: Add Production Devices to the Membership Group for a Zone (Windows 10)
-description: Add Production Devices to the Membership Group for a Zone
+description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
index c79ea27f4e..6bfc87a6c3 100644
--- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -1,6 +1,6 @@
---
title: Add Test Devices to the Membership Group for a Zone (Windows 10)
-description: Add Test Devices to the Membership Group for a Zone
+description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index a0422c4a14..b9c0f35fc2 100644
--- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -1,6 +1,6 @@
---
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
-description: Appendix A Sample GPO Template Files for Settings Used in this Guide
+description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index b41fba1e87..663f7ba800 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -1,6 +1,6 @@
---
title: Assign Security Group Filters to the GPO (Windows 10)
-description: Assign Security Group Filters to the GPO
+description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
index 0b313e0d05..81e8194d88 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
@@ -1,6 +1,6 @@
---
title: Boundary Zone GPOs (Windows 10)
-description: Boundary Zone GPOs
+description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index 05d8ac588f..849fd51e8b 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -1,6 +1,6 @@
---
title: Boundary Zone (Windows 10)
-description: Boundary Zone
+description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index efa67c42bc..45b1bdfe0f 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -1,6 +1,6 @@
---
title: Certificate-based Isolation Policy Design Example (Windows 10)
-description: Certificate-based Isolation Policy Design Example
+description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 71775ab476..38ec0654bb 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Certificate-based Isolation Policy Design
+# Certificate-based isolation policy design
**Applies to**
- Windows 10
@@ -35,7 +35,7 @@ For Windows devices that are part of an Active Directory domain, you can use Gro
For more info about this design:
-- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
@@ -45,4 +45,4 @@ For more info about this design:
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
-**Next:** [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
index 2163ee0015..9bc976625b 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
-description: Checklist Configuring Rules for an Isolated Server Zone
+description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
index 8d8d97e772..4a8272c0a4 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
-description: Checklist Configuring Rules for the Boundary Zone
+description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
index 5c265b66ef..b9406909c6 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
-description: Checklist Configuring Rules for the Encryption Zone
+description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
index 260980b98d..dce673dded 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
@@ -1,6 +1,6 @@
---
title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
-description: Checklist Configuring Rules for the Isolated Domain
+description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
index 151e5017f4..4bea4169a2 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -1,6 +1,6 @@
---
title: Checklist Creating Group Policy Objects (Windows 10)
-description: Checklist Creating Group Policy Objects
+description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
index 9c392608a3..4b04bec98e 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
@@ -1,6 +1,6 @@
---
title: Checklist Creating Inbound Firewall Rules (Windows 10)
-description: Checklist Creating Inbound Firewall Rules
+description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
index 10f025a062..4b03a9a468 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
@@ -1,6 +1,6 @@
---
title: Checklist Creating Outbound Firewall Rules (Windows 10)
-description: Checklist Creating Outbound Firewall Rules
+description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index 4d6b02ef58..6e7e1f12f2 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10)
-description: Checklist Implementing a Certificate-based Isolation Policy Design
+description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
ms.reviewer:
ms.author: dansimp
@@ -25,13 +25,14 @@ ms.date: 08/17/2017
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
->**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
+> [!NOTE]
+> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
**Checklist: Implementing certificate-based authentication**
| Task | Reference |
| - | - |
-| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
+| Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)|
| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)|
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index 139618cb53..f9ac702f70 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Domain Isolation Policy Design (Windows 10)
-description: Checklist Implementing a Domain Isolation Policy Design
+description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
ms.reviewer:
ms.author: dansimp
@@ -25,7 +25,8 @@ ms.date: 08/17/2017
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
->**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+> [!NOTE]
+> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
@@ -33,7 +34,7 @@ The procedures in this section use the Group Policy MMC snap-ins to configure th
| Task | Reference |
| - | - |
-| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Domain Isolation Policy Design](domain-isolation-policy-design.md) [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
+| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Domain Isolation Policy Design](domain-isolation-policy-design.md) [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)|
| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)|
| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)|
diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index 05aad0007e..5428613f80 100644
--- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10)
-description: Checklist Implementing a Standalone Server Isolation Policy Design
+description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists.
ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
ms.reviewer:
ms.author: dansimp
@@ -27,13 +27,14 @@ This checklist contains procedures for creating a server isolation policy design
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
->**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+> [!NOTE]
+> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
**Checklist: Implementing a standalone server isolation policy design**
| Task | Reference |
| - | - |
-| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Server Isolation Policy Design](server-isolation-policy-design.md) [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) [Planning Server Isolation Zones](planning-server-isolation-zones.md) |
+| Review important concepts and examples for the server isolation policy design to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) [Server Isolation Policy Design](server-isolation-policy-design.md) [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) [Planning Server Isolation Zones](planning-server-isolation-zones.md) |
| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)|
| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)|
| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|
diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
index 1537a9a193..547685f707 100644
--- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
@@ -1,6 +1,6 @@
---
title: Configure Authentication Methods (Windows 10)
-description: Configure Authentication Methods
+description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 70452597e6..886c851257 100644
--- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Data Protection (Quick Mode) Settings (Windows 10)
-description: Configure Data Protection (Quick Mode) Settings
+description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index c16f30452b..c619cda63c 100644
--- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -1,6 +1,6 @@
---
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
-description: Configure Group Policy to Autoenroll and Deploy Certificates
+description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index b8743e2e69..7666bdc174 100644
--- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Key Exchange (Main Mode) Settings (Windows 10)
-description: Configure Key Exchange (Main Mode) Settings
+description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index 7fde7baa03..ca7c77dfd2 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -1,6 +1,6 @@
---
title: Configure the Rules to Require Encryption (Windows 10)
-description: Configure the Rules to Require Encryption
+description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption.
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 537198bd08..8cb54165e1 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -1,6 +1,6 @@
---
title: Configure the Windows Defender Firewall Log (Windows 10)
-description: Configure the Windows Defender Firewall Log
+description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index 61f12fe05d..927053f40c 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -1,6 +1,6 @@
---
title: Configure the Workstation Authentication Template (Windows 10)
-description: Configure the Workstation Authentication Certificate Template
+description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
index 566425e4b8..65704e92f5 100644
--- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
@@ -1,6 +1,6 @@
---
title: Confirm That Certificates Are Deployed Correctly (Windows 10)
-description: Confirm That Certificates Are Deployed Correctly
+description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index e9c8024043..51ecd3fcb2 100644
--- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -1,6 +1,6 @@
---
title: Copy a GPO to Create a New GPO (Windows 10)
-description: Copy a GPO to Create a New GPO
+description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
index 5e5b2b22d9..35f885a1ee 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
@@ -1,6 +1,6 @@
---
title: Create a Group Account in Active Directory (Windows 10)
-description: Create a Group Account in Active Directory
+description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index b790f7d1ac..b2cef93530 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -1,6 +1,6 @@
---
title: Create a Group Policy Object (Windows 10)
-description: Create a Group Policy Object
+description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
ms.reviewer:
ms.author: dansimp
@@ -39,7 +39,8 @@ To create a new GPO
4. In the **Name** text box, type the name for your new GPO.
- >**Note:** Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
+ > [!NOTE]
+ > Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**.
diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index 2f97c1e3a7..bdcad85769 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Authentication Exemption List Rule (Windows 10)
-description: Create an Authentication Exemption List Rule
+description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
index 2c0470e6c8..914c035aa9 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Inbound ICMP Rule (Windows 10)
-description: Create an Inbound ICMP Rule
+description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index 2c3d3fccae..89db14ccae 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Inbound Port Rule (Windows 10)
-description: Create an Inbound Port Rule
+description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
index 401e8de3f6..c2d887fe0d 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Inbound Program or Service Rule (Windows 10)
-description: Create an Inbound Program or Service Rule
+description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules.
ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
index 19ced05694..db459ab562 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
@@ -1,6 +1,6 @@
---
title: Create an Outbound Port Rule (Windows 10)
-description: Create an Outbound Port Rule
+description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index 84b71ac1f8..e44f10923b 100644
--- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -1,6 +1,6 @@
---
title: Create Inbound Rules to Support RPC (Windows 10)
-description: Create Inbound Rules to Support RPC
+description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index e7201d21c3..9b88cddfe3 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -1,6 +1,6 @@
---
title: Create Windows Firewall rules in Intune (Windows 10)
-description: Explains how to create Windows Firewall rules in Intune
+description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 57292a294e..ebcd8943b9 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -1,6 +1,6 @@
---
title: Create WMI Filters for the GPO (Windows 10)
-description: Create WMI Filters for the GPO
+description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows.
ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index d7bed686fa..b4f3c5a658 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -1,6 +1,6 @@
---
title: Determining the Trusted State of Your Devices (Windows 10)
-description: Determining the Trusted State of Your Devices
+description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security.
ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 0fa1893aa6..6ed3a0bf2a 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -1,6 +1,6 @@
---
title: Documenting the Zones (Windows 10)
-description: Documenting the Zones
+description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security.
ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index d0e345f2c5..bdc9a665db 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -1,6 +1,6 @@
---
title: Domain Isolation Policy Design Example (Windows 10)
-description: Domain Isolation Policy Design Example
+description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 948932fb53..ab6c8e4327 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Domain Isolation Policy Design (Windows 10)
-description: Domain Isolation Policy Design
+description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain.
ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66
ms.reviewer:
ms.author: dansimp
@@ -50,8 +50,8 @@ Characteristics of this design, as shown in the diagram, include the following:
- Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices.
After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization.
-
->**Important:** This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.
+> [!IMPORTANT]
+> This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.
This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
@@ -59,7 +59,7 @@ In order to expand the isolated domain to include Devices that cannot be part of
For more info about this design:
-- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md).
diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
index 17c9f0d4ee..92491a2ab8 100644
--- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -1,6 +1,6 @@
---
title: Enable Predefined Outbound Rules (Windows 10)
-description: Enable Predefined Outbound Rules
+description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security.
ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
index 1a2eab4b13..33338e8b52 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
@@ -1,6 +1,6 @@
---
title: Encryption Zone GPOs (Windows 10)
-description: Encryption Zone GPOs
+description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security.
ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index ced058672b..097cbdf870 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -1,6 +1,6 @@
---
title: Encryption Zone (Windows 10)
-description: Encryption Zone
+description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted.
ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
index 4293f9cc59..5b87eef36e 100644
--- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -1,6 +1,6 @@
---
title: Exempt ICMP from Authentication (Windows 10)
-description: Exempt ICMP from Authentication
+description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security.
ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index f66bc68daa..eb4909a401 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -1,6 +1,6 @@
---
title: Exemption List (Windows 10)
-description: Learn the ins and outs of exemption lists on a secured network using Windows 10.
+description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions.
ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
index 1af381ba0e..e40d0eddc7 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
@@ -1,6 +1,6 @@
---
title: Firewall GPOs (Windows 10)
-description: Firewall GPOs
+description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain.
ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 5127569bc4..ca7bc12d6f 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -1,6 +1,6 @@
---
-title: Firewall Policy Design Example (Windows 10)
-description: Firewall Policy Design Example
+title: Basic Firewall Policy Design Example (Windows 10)
+description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security.
ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Firewall Policy Design Example
+# Basic Firewall Policy Design Example
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index cd4b6c6d78..56c50d121a 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -1,6 +1,6 @@
---
title: Gathering Information about Your Active Directory Deployment (Windows 10)
-description: Gathering Information about Your Active Directory Deployment
+description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment.
ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 2feb5a2fd1..0d8532e07e 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -1,6 +1,6 @@
---
title: Gathering Information about Your Devices (Windows 10)
-description: Gathering Information about Your Devices
+description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment.
ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 5d29784f77..44b471961b 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -1,6 +1,6 @@
---
title: Gathering Other Relevant Information (Windows 10)
-description: Gathering Other Relevant Information
+description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization.
ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
index 89fc8ac3c0..da4b632a34 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
@@ -1,6 +1,6 @@
---
title: Gathering the Information You Need (Windows 10)
-description: Gathering the Information You Need
+description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment.
ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index 006015b36a..ca757eeba4 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_Boundary (Windows 10)
-description: GPO\_DOMISO\_Boundary
+description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices.
ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index e16a7ecc32..ee39cb7790 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10)
-description: GPO\_DOMISO\_Encryption\_WS2008
+description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests.
ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index e44b50dd82..3cba8b312c 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -1,6 +1,6 @@
---
title: GPO\_DOMISO\_Firewall (Windows 10)
-description: GPO\_DOMISO\_Firewall
+description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools.
ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 5e3a16c452..96725d8ff3 100644
--- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -1,6 +1,6 @@
---
-title: Identify Goals for your WFAS Deployment (Windows 10)
-description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) Deployment Goals
+title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows 10)
+description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals
ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
ms.reviewer:
ms.author: dansimp
@@ -17,22 +17,21 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
-
+# Identifying Windows Defender Firewall with Advanced Security implementation goals
**Applies to**
- Windows 10
- Windows Server 2016
-Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios.
+Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios.
-The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals:
+The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall implementation goals:
| Deployment goal tasks | Reference links |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals:
[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
|
-| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. |
[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
-| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. |
[Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
[Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
|
+| Evaluate predefined Windows Defender Firewall with Advanced Security implementation goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined implementation goals:
[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
|
+| Map one goal or a combination of the predefined implementation goals to an existing Windows Defender Firewall with Advanced Security design. |
[Mapping Your implementation goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
|
+| Based on the status of your current infrastructure, document your implementation goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. |
[Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
[Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
|
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index c56fd15494..841c88ae5d 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -48,7 +48,7 @@ Use the following parent checklists in this section of the guide to become famil
- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
-- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+- [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
index 84999a6bd2..a07f984898 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
@@ -1,6 +1,6 @@
---
title: Isolated Domain GPOs (Windows 10)
-description: Isolated Domain GPOs
+description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security.
ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index bb06dc1bff..90b121b86e 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -1,6 +1,6 @@
---
title: Isolated Domain (Windows 10)
-description: Isolated Domain
+description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication.
ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
index 1a5d115e8a..169d59a2df 100644
--- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -1,6 +1,6 @@
---
title: Isolating Microsoft Store Apps on Your Network (Windows 10)
-description: Isolating Microsoft Store Apps on Your Network
+description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
index 3b40dbd662..9f710aa000 100644
--- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
+++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
@@ -1,6 +1,6 @@
---
title: Link the GPO to the Domain (Windows 10)
-description: Link the GPO to the Domain
+description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security.
ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index 9c73c224b9..314389955f 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -1,6 +1,6 @@
---
-title: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design (Windows 10)
-description: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
+title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows 10)
+description: Mapping your implementation goals to a Windows Firewall with Advanced Security design
ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22
ms.reviewer:
ms.author: dansimp
@@ -17,17 +17,17 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
-# Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
+# Mapping your implementation goals to a Windows Firewall with Advanced Security design
**Applies to**
- Windows 10
- Windows Server 2016
-After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
+After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
+> [!IMPORTANT]
+> The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design.
->**Important:** The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design.
-
-Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security deployment goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security deployment goals to meet the needs of your organization.
+Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security implementation goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security implementation goals to meet the needs of your organization.
| Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design |
| - |- | - | - | - |
diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index b055c8d636..9a78732eb3 100644
--- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -1,6 +1,6 @@
---
title: Modify GPO Filters (Windows 10)
-description: Modify GPO Filters to Apply to a Different Zone or Version of Windows
+description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security.
ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
index e00e35ccff..63c6cbf6d2 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -1,6 +1,6 @@
---
title: Open the Group Policy Management Console to IP Security Policies (Windows 10)
-description: Open the Group Policy Management Console to IP Security Policies
+description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system.
ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index bce220a506..134a6bb928 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -1,6 +1,6 @@
---
-title: Open a GPO to Windows Defender Firewall (Windows 10)
-description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
+title: Group Policy Management of Windows Defender Firewall (Windows 10)
+description: Group Policy Management of Windows Defender Firewall with Advanced Security
ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 04/02/2017
---
-# Open the Group Policy Management Console to Windows Defender Firewall
+# Group Policy Management of Windows Defender Firewall
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index cbf3fd9257..3d67c96d9d 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
title: Open Windows Defender Firewall with Advanced Security (Windows 10)
-description: Open Windows Defender Firewall with Advanced Security
+description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group.
ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index 100858ecbe..b2b2a0467b 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -1,6 +1,6 @@
---
title: Planning Certificate-based Authentication (Windows 10)
-description: Planning Certificate-based Authentication
+description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication.
ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
index f37a7ebdea..5a7fcb44a2 100644
--- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Domain Isolation Zones (Windows 10)
-description: Planning Domain Isolation Zones
+description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security.
ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
index 188f4f2556..831200cf48 100644
--- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
@@ -1,6 +1,6 @@
---
title: Planning GPO Deployment (Windows 10)
-description: Planning GPO Deployment
+description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
index 991bdcec0d..22f031c902 100644
--- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10)
-description: Planning Group Policy Deployment for Your Isolation Zones
+description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment.
ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 2183c3f911..cef2c16969 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Isolation Groups for the Zones (Windows 10)
-description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs
+description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs.
ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index 3043878e04..5cb6ff075c 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -1,6 +1,6 @@
---
title: Planning Network Access Groups (Windows 10)
-description: Planning Network Access Groups
+description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security.
ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index f42eca057b..b1af014fa5 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -1,6 +1,6 @@
---
title: Planning Server Isolation Zones (Windows 10)
-description: Planning Server Isolation Zones
+description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index 8138bd8ee1..5a8cd1a017 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -1,6 +1,6 @@
---
title: Planning Settings for a Basic Firewall Policy (Windows 10)
-description: Planning Settings for a Basic Firewall Policy
+description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices.
ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
index 78c49adcca..80b776ca44 100644
--- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
@@ -1,6 +1,6 @@
---
title: Planning the GPOs (Windows 10)
-description: Planning the GPOs
+description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout.
ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 6992965186..2caa25566a 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -1,6 +1,6 @@
---
title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10)
-description: Planning Your Windows Defender Firewall with Advanced Security Design
+description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment.
ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
index 2d37487be2..643f41ab14 100644
--- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
@@ -1,6 +1,6 @@
---
title: Procedures Used in This Guide (Windows 10)
-description: Procedures Used in This Guide
+description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide.
ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index a3ca3c4b6e..a05d8eb5a3 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -1,6 +1,6 @@
---
-title: Protect Devices from Unwanted Network Traffic (Windows 10)
-description: Protect Devices from Unwanted Network Traffic
+title: Protect devices from unwanted network traffic (Windows 10)
+description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy.
ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
-# Protect Devices from Unwanted Network Traffic
+# Protect devices from unwanted network traffic
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 4f5c2b1cb0..a79aedce9d 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -1,6 +1,6 @@
---
title: Require Encryption When Accessing Sensitive Network Resources (Windows 10)
-description: Require Encryption When Accessing Sensitive Network Resources
+description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted.
ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index cbdd8e51d9..27007f7718 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -1,6 +1,6 @@
---
-title: Restrict Access to Only Trusted Devices (Windows 10)
-description: Restrict Access to Only Trusted Devices
+title: Restrict access to only trusted devices (Windows 10)
+description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices.
ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Restrict Access to Only Trusted Devices
+# Restrict access to only trusted devices
**Applies to**
- Windows 10
@@ -27,7 +27,8 @@ Your organizational network likely has a connection to the Internet. You also li
To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
->**Note:** Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
+> [!NOTE]
+> Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index dbffb1b8f1..8286d47f26 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -1,6 +1,6 @@
---
title: Server Isolation GPOs (Windows 10)
-description: Server Isolation GPOs
+description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security.
ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index b93e884682..daba2b5e2c 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -1,6 +1,6 @@
---
title: Server Isolation Policy Design Example (Windows 10)
-description: Server Isolation Policy Design Example
+description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company.
ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 1eeea3dc76..d5c4333424 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -1,6 +1,6 @@
---
title: Server Isolation Policy Design (Windows 10)
-description: Server Isolation Policy Design
+description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group.
ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a
ms.reviewer:
ms.author: dansimp
@@ -43,13 +43,14 @@ Characteristics of this design include the following:
To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules.
->**Important:** This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented.
+> [!IMPORTANT]
+> This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented.
This design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules.
For more info about this design:
-- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
new file mode 100644
index 0000000000..6071427eda
--- /dev/null
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -0,0 +1,1328 @@
+---
+title: Troubleshooting UWP App Connectivity Issues in Windows Firewall
+description: Troubleshooting UWP App Connectivity Issues in Windows Firewall
+
+ms.reviewer:
+ms.author: dansimp
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: dansimp
+manager: dansimp
+ms.collection: M365-security-compliance
+ms.topic: troubleshooting
+---
+
+# Troubleshooting UWP App Connectivity Issues
+
+This document is intended to help network admins, support engineers, and developers to
+investigate UWP app network connectivity issues.
+
+This document guides you through steps to debug Universal Windows Platform (UWP) app network connectivity issues by providing practical examples.
+
+## Typical causes of connectivity issues
+
+UWP app network connectivity issues are typically caused by:
+
+1. The UWP app was not permitted to receive loopback traffic. This must be configured. By default, UWP apps are not allowed to receive loopback traffic.
+2. The UWP app is missing the proper capability tokens.
+3. The private range is configured incorrectly. For example, the private range is set incorrectly through GP/MDM policies, etc.
+
+To understand these causes more thoroughly, there are several concepts to review.
+
+The traffic of network packets (what's permitted and what’s not) on Windows is determined by the Windows Filtering Platform (WFP). When a UWP app
+or the private range is configured incorrectly, it affects how the UWP app’s network traffic will be processed by WFP.
+
+When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet does not match any of the filter conditions, leading the packet to be dropped by a default block filter. The presence of the default block
+filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that does not have the correct capabilities for the resource it is trying to reach. This ensures the application’s granular access to each resource type and preventing the application from escaping its environment.
+
+For more information on the filter arbitration algorithm and network isolation,
+see [Filter
+Arbitration](https://docs.microsoft.com/windows/win32/fwp/filter-arbitration)
+and
+[Isolation](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation).
+
+The following sections cover debugging case examples for loopback and non-loopback UWP app network connectivity issues.
+
+> [!NOTE]
+> As improvements to debugging and diagnostics in the Windows Filtering Platform are made, the trace examples in this document may not exactly match the
+traces collected on previous releases of Windows.
+
+## Debugging UWP App Loopback scenarios
+
+If you need to establish a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback.
+
+To enable loopback for client outbound connections, run the following at a command prompt:
+
+```console
+CheckNetIsolation.exe LoopbackExempt -a -n=
+```
+
+To enable loopback for server inbound connections, run the following at a
+command prompt:
+```console
+CheckNetIsolation.exe LoopbackExempt -is -n=
+```
+You can ensure loopback is enabled by checking the appx manifests of both the sender and receiver.
+
+For more information about loopback scenarios, see [Communicating with
+localhost
+(loopback)](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback).
+
+## Debugging Live Drops
+
+If the issue happened recently, but you find you are not able to reproduce the issue, go to Debugging Past Drops for the appropriate trace commands.
+
+If you can consistently reproduce the issue, then you can run the following in an admin command prompt to gather a fresh trace:
+
+```console
+Netsh wfp capture start keywords=19
+
+Netsh wfp capture stop
+```
+
+These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains any allow or drop netEvents and filters that existed during that repro. Without “keywords=19”, the trace will only collect drop netEvents.
+
+Inside the wfpdiag.xml, search for netEvents which have
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant drop events, search for the drop events with matching destination IP address,
+package SID, or application ID name. The characters in the application ID name
+will be separated by periods:
+
+```XML
+(ex)
+
+
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e...
+
+
+```
+
+The netEvent will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more.
+
+## Case 1: UWP app connects to Internet target address with all capabilities
+
+In this example, the UWP app successfully connects to bing.com
+[2620:1ec:c11::200].
+
+A packet from a UWP app needs the correct networking capability token for the resource it is trying to reach.
+
+In this scenario, the app could successfully send a packet to the Internet target because it had an Internet capability token.
+
+The following shows the allow netEvent of the app connecting to the target IP. The netEvent contains information about the packet including its local address,
+remote address, capabilities, etc.
+
+**Classify Allow netEvent, Wfpdiag-Case-1.xml**
+```xml
+
+
+ 2020-05-21T17:25:59.070Z
+
+ FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ FWPM_NET_EVENT_FLAG_APP_ID_SET
+ FWPM_NET_EVENT_FLAG_USER_ID_SET
+ FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V6
+ 6
+ 2001:4898:30:3:256c:e5ba:12f3:beb1
+ 2620:1ec:c11::200
+52127
+443
+0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-2993214446-1947230185-131795049-1000
+FWP_AF_INET6
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW
+
+ 125918
+ 50
+ 0
+ 1
+ 1
+
+
+
+0000000000000000
+
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+0
+
+
+
+ 125918
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_PERMIT
+
+
+ 121167
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+
+The following is the filter that permitted the packet to be sent to the target
+address according to the **terminatingFiltersInfo** in the **netEvent**. This packet was
+allowed by Filter #125918, from the InternetClient Default Rule.
+
+**InternetClient Default Rule Filter #125918, Wfpdiag-Case-1.xml**
+```xml
+
+ {3389708e-f7ae-4ebc-a61a-f659065ab24e}
+
+ InternetClient Default Rule
+ InternetClient Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ ad2b000000000000
+ .+......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V6
+ FWPM_SUBLAYER_MPSSVC_WSH
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_BYTE_ARRAY16_TYPE
+ ::
+
+
+ FWP_BYTE_ARRAY16_TYPE
+ ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 125918
+
+ FWP_UINT64
+ 103079219136
+
+
+```
+
+**Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml**
+```xml
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+```
+This is the condition for checking capabilities in this filter.
+
+The important part of this condition is **S-1-15-3-1**, which is the capability SID
+for **INTERNET_CLIENT** privileges.
+
+From the **netEvent** capabilities section,
+capabilities from netEvent, Wfpdiag-Case-1.xml.
+```xml
+
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENTFWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+```
+This shows the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the
+filter. All the other conditions are also met for the filter, so the packet is
+allowed.
+
+Something to note is that the only capability token required for the packet to
+reach bing.com was the Internet client token, even though this example showed
+the packet having all capabilities.
+
+## Case 2: UWP APP cannot reach Internet target address and has no capabilities
+
+In this example, the UWP app is unable to connect to bing.com
+[2620:1ec:c11::200].
+
+The following is a drop netEvent that was captured in the trace.
+
+**Classify Drop netEvent, Wfpdiag-Case-2.xml**
+```xml
+
+
+2020-03-30T23:53:09.720Z
+
+ FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ FWPM_NET_EVENT_FLAG_APP_ID_SET
+ FWPM_NET_EVENT_FLAG_USER_ID_SET
+ FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+FWP_IP_VERSION_V6
+6
+2001:4898:1a:1045:8469:3351:e6e2:543
+2620:1ec:c11::200
+63187
+443
+0
+
+5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-2788718703-1626973220-3690764900-1000
+FWP_AF_INET6
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+68893
+50
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+
+
+0000000000000000
+
+0
+
+
+
+68893
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+
+68879
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+
+```
+The first thing that you should check in the **netEvent** is the capabilities
+field. In this example, the capabilities field is empty, indicating that the
+UWP app was not configured with any capability tokens to allow it to connect to
+a network.
+
+**Internal Fields from netEvent, Wfpdiag-Case-2.xml**
+```xml
+
+
+0000000000000000
+
+0
+
+
+
+68893
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+
+68879
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+```
+The **netEvent** also shows information about the filter that explicitly dropped this packet, like the **FilterId**, listed under classify drop.
+
+**Classify Drop from netEvent, Wfpdiag-Case-2.xml**
+```xml
+
+68893
+50
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+```
+If you search for the filter #68893 in Wfpdiag-Case2.xml, you'll see that
+the packet was dropped by a Block Outbound Default Rule filter.
+
+**Block Outbound Default Rule Filter #68893, Wfpdiag-Case-2.xml**
+
+```xml
+
+ {6d51582f-bcf8-42c4-afc9-e2ce7155c11b}
+/t
+ **Block Outbound Default Rule**
+ Block Outbound Default Rule
+
+
+ {4b153735-1049-4480-aab4-d1b9bdc03710}
+
+ b001000000000000
+ ........
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V6
+ {b3cdd441-af90-41ba-a745-7c6008ff2300}
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+
+ FWP_ACTION_BLOCK
+
+
+ 0
+
+ 68893
+
+ FWP_UINT64
+ 68719476736
+
+
+```
+
+A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and not allowed by the other filters in
+the same sublayer.
+
+If the packet had the correct capability token,
+**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**, it would have matched a condition for a
+non-default block filter and would have been permitted to reach bing.com.
+Without the correct capability tokens, the packet will be explicitly dropped by
+a default block outbound filter.
+
+## Case 3: UWP app cannot reach Internet target address without Internet Client capability
+
+In this example, the app is unable to connect to bing.com [2620:1ec:c11::200].
+
+The app in this scenario only has private network capabilities (Client and
+Server). The app is trying to connect to an Internet resource (bing.com), but
+only has a private network token. Therefore, the packet will be dropped.
+
+**Classify Drop netEvent, Wfpdiag-Case-3.xml**
+```xml
+
+
+2020-03-31T16:57:18.570Z
+
+FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+FWPM_NET_EVENT_FLAG_APP_ID_SET
+FWPM_NET_EVENT_FLAG_USER_ID_SET
+FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+FWP_IP_VERSION_V6
+6
+2001:4898:1a:1045:9c65:7805:dd4a:cc4b
+2620:1ec:c11::200
+64086
+443
+0
+
+5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-2788718703-1626973220-3690764900-1000
+FWP_AF_INET6
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+68893
+50
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+
+
+0000000000000000
+****
+**FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK**
+****
+0
+
+
+
+68893
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+
+68879
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+
+```
+
+## Case 4: UWP app cannot reach Intranet target address without Private Network capability
+
+In this example, the UWP app is unable to reach the Intranet target address,
+10.50.50.50, because it does not have a Private Network capability.
+
+**Classify Drop netEvent, Wfpdiag-Case-4.xml**
+```xml
+
+
+ 2020-05-22T21:29:28.601Z
+
+ FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ FWPM_NET_EVENT_FLAG_APP_ID_SET
+ FWPM_NET_EVENT_FLAG_USER_ID_SET
+ FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.216.117.17
+ 10.50.50.50
+ 52998
+ 53
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-2993214446-1947230185-131795049-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+ 121180
+ 48
+ 0
+ 1
+ 1
+ MS_FWP_DIRECTION_OUT
+ false
+
+ 0
+ 0
+
+
+
+ 0000000000000000
+
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+
+ 0
+
+
+
+ 121180
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_BLOCK
+
+
+ 121165
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+## Case 5: UWP app cannot reach “Intranet” target address with Private Network capability
+
+In this example, the UWP app is unable to reach the Intranet target address,
+10.1.1.1, even though it has a Private Network capability token.
+
+**Classify Drop netEvent, Wfpdiag-Case-5.xml**
+```xml
+
+
+ 2020-05-22T20:54:53.499Z
+
+ FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ FWPM_NET_EVENT_FLAG_APP_ID_SET
+ FWPM_NET_EVENT_FLAG_USER_ID_SET
+ FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.216.117.17
+ 10.1.1.1
+ 52956
+ 53
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-2993214446-1947230185-131795049-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+ 121180
+ 48
+ 0
+ 1
+ 1
+ MS_FWP_DIRECTION_OUT
+ false
+
+ 0
+ 0
+
+
+
+ 0000000000000000
+
+ FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+ 0
+
+
+
+ 121180
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_BLOCK
+
+
+ 121165
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+The following shows the filter that blocked the event:
+
+**Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml**
+
+```xml
+
+ {e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}
+
+ Block Outbound Default Rule
+ Block Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ c029000000000000
+ .)......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+
+ FWP_ACTION_BLOCK
+
+
+ 0
+
+ 121180
+
+ FWP_UINT64
+ 274877906944
+
+
+```
+If the target was in the private range, then it should have been allowed by a
+PrivateNetwork Outbound Default Rule filter.
+
+The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address,
+10.1.1.1, is not included in these filters it becomes clear that the address is not in the private range. Check the policies that configure the private range
+on the device (MDM, Group Policy, etc.) and make sure it includes the private target address you wanted to reach.
+
+**PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml**
+```xml
+
+ {fd65507b-e356-4e2f-966f-0c9f9c1c6e78}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1.1.1.1
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129656
+
+ FWP_UINT64
+ 144115600392724416
+
+
+
+ {b11b4f8a-222e-49d6-8d69-02728681d8bc}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 172.16.0.0
+
+
+ FWP_UINT32
+ 172.31.255.255
+
+
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129657
+
+ FWP_UINT64
+ 36029209335832512
+
+
+
+ {21cd82bc-6077-4069-94bf-750e5a43ca23}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 192.168.0.0
+
+
+ FWP_UINT32
+ 192.168.255.255
+
+
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129658
+
+ FWP_UINT64
+ 36029209335832512
+
+
+```
+## Debugging Past Drops
+
+If you are debugging a network drop from the past or from a remote machine, you
+may have traces already collected from Feedback Hub, such as nettrace.etl and
+wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the
+netEvents of the reproduced event, and wfpstate.xml will contain the filters
+that were present on the machine at the time.
+
+If you do not have a live repro or traces already collected, you can still
+collect traces after the UWP network connectivity issue has happened by running
+these commands in an admin command prompt
+
+```xml
+
+ Netsh wfp show netevents
+ Netsh wfp show state
+```
+
+**Netsh wfp show netevents** creates netevents.xml, which contains the past
+net events. **Netsh wfp show state** creates wfpstate.xml, which contains
+the current filters present on the machine.
+
+Unfortunately, collecting traces after the UWP network connectivity issue is not
+always reliable.
+
+NetEvents on the device are stored in a buffer. Once that buffer has reached
+maximum capacity, the buffer will overwrite older net events. Due to the buffer
+overwrite, it is possible that the collected netevents.xml will not contain the
+net event associated with the UWP network connectivity issue. It could have been ov
+overwritten. Additionally, filters on the device can get deleted and re-added
+with different filterIds due to miscellaneous events on the device. Because of
+this, a **filterId** from **netsh wfp show netevents** may not necessarily match any
+filter in **netsh wfp show state** because that **filterId** may be outdated.
+
+If you can reproduce the UWP network connectivity issue consistently, we
+recommend using the commands from Debugging Live Drops instead.
+
+Additionally, you can still follow the examples from Debugging Live Drops
+section using the trace commands in this section, even if you do not have a live
+repro. The **netEvents** and filters are stored in one file in Debugging Live Drops
+as opposed to two separate files in the following Debugging Past Drops examples.
+
+## Case 7: Debugging Past Drop - UWP app cannot reach Internet target address and has no capabilities
+
+In this example, the UWP app is unable to connect to bing.com.
+
+Classify Drop Net Event, NetEvents-Case-7.xml
+
+```xml
+
+
+2020-05-04T22:04:07.039Z
+
+FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+FWPM_NET_EVENT_FLAG_APP_ID_SET
+FWPM_NET_EVENT_FLAG_USER_ID_SET
+FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+FWP_IP_VERSION_V4
+6
+10.195.36.30
+204.79.197.200
+57062
+443
+0
+
+5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+S-1-5-21-1578316205-4060061518-881547182-1000
+FWP_AF_INET
+S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+0
+
+
+FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+206064
+48
+0
+1
+1
+MS_FWP_DIRECTION_OUT
+false
+
+0
+0
+
+
+
+0000000000000000
+
+0
+
+
+
+206064
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+FWP_ACTION_BLOCK
+
+
+206049
+FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+FWP_ACTION_PERMIT
+
+
+
+
+```
+
+The Internal fields lists no active capabilities, and the packet is dropped at
+filter 206064.
+
+This is a default block rule filter, meaning the packet passed through every
+filter that could have allowed it, but because conditions didn’t match for any
+those filters, the packet fell to the filter which blocks any packet that the
+Security Descriptor doesn’t match.
+
+**Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml**
+
+```xml
+
+{f138d1ad-9293-478f-8519-c3368e796711}
+
+Block Outbound Default Rule
+Block Outbound Default Rule
+
+
+FWPM_PROVIDER_MPSSVC_WSH
+
+2e65000000000000
+.e......
+
+FWPM_LAYER_ALE_AUTH_CONNECT_V4
+FWPM_SUBLAYER_MPSSVC_WSH
+
+FWP_EMPTY
+
+
+
+FWPM_CONDITION_ALE_PACKAGE_ID
+FWP_MATCH_NOT_EQUAL
+
+FWP_SID
+S-1-0-0
+
+
+
+
+FWP_ACTION_BLOCK
+
+
+0
+
+206064
+
+FWP_UINT64
+274877906944
+
+
+```
+## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities
+
+In this example, the UWP app successfully connects to bing.com [204.79.197.200].
+
+**Classify Allow Net Event, NetEvents-Case-8.xml**
+
+```xml
+
+
+ 2020-05-04T18:49:55.101Z
+
+ FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ FWPM_NET_EVENT_FLAG_APP_ID_SET
+ FWPM_NET_EVENT_FLAG_USER_ID_SET
+ FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.195.36.30
+ 204.79.197.200
+ 61673
+ 443
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-1578316205-4060061518-881547182-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW
+
+ 208757
+ 48
+ 0
+ 1
+ 1
+
+
+
+ 0000000000000000
+
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+ 0
+
+
+
+ 208757
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_PERMIT
+
+
+ 206049
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
+
+```
+All capabilities are enabled and the resulting filter determining the flow of the packet is 208757.
+
+The filter stated above with action permit:
+
+**InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml**
+```xml
+
+ {e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}
+
+ InternetClient Default Rule
+ InternetClient Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ e167000000000000
+ .g......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 0.0.0.0
+
+
+ FWP_UINT32
+ 255.255.255.255
+
+
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 208757
+
+ FWP_UINT64
+ 412316868544
+
+
+```
+The capabilities field in a netEvent was added to the traces in the Windows 10
+May 2019 Update.
diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index 26796b6814..0449d6b01f 100644
--- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -20,13 +20,12 @@ ms.author: dansimp
Designing any deployment starts by performing several important tasks:
-- [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+- [Identifying your windows defender firewall with advanced security design goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-- [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+- [Mapping your implementation goals to a Windows Defender Firewall with Advanced Security design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-- [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
-After you identify your deployment goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
+After you identify your implementation goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
- [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index 7cbeb23689..a7178f39fe 100644
--- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -1,6 +1,6 @@
---
title: Verify That Network Traffic Is Authenticated (Windows 10)
-description: Verify That Network Traffic Is Authenticated
+description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication.
ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index d91723c3d2..ddb0304065 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -1,6 +1,6 @@
---
-title: Deploy Windows Defender Firewall with Advanced Security (Windows 10)
-description: Windows Defender Firewall with Advanced Security Deployment Guide
+title: Windows Defender Firewall with Advanced Security deployment overview (Windows 10)
+description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network.
ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
ms.reviewer:
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.topic: conceptual
ms.date: 08/17/2017
---
-# Windows Defender Firewall with Advanced Security Deployment Guide
+# Windows Defender Firewall with Advanced Security deployment overview
**Applies to**
- Windows 10
@@ -46,8 +46,8 @@ After you select your design and gather the required information about the zones
- [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
Use the checklists in [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
-
->**Caution:** We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
+> [!CAUTION]
+> We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded.
@@ -61,10 +61,4 @@ This guide does not provide:
- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication.
-## Overview of Windows Defender Firewall with Advanced Security
-
-Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
-
-The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
-
For more information about Windows Defender Firewall with Advanced Security, see [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index 70c8912478..d6b2ed3cde 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10)
-description: Windows Defender Firewall with Advanced Security Design Guide
+title: Windows Defender Firewall with Advanced Security design guide (Windows 10)
+description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise.
ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
ms.reviewer:
ms.author: dansimp
@@ -17,8 +17,7 @@ ms.topic: conceptual
ms.date: 10/05/2017
---
-# Windows Defender Firewall with Advanced Security
-Design Guide
+# Windows Defender Firewall with Advanced Security design guide
**Applies to**
- Windows 10
@@ -40,7 +39,7 @@ Windows Defender Firewall should be part of a comprehensive security solution th
To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
-You can use the deployment goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
+You can use the implementation goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
- **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized.
@@ -68,9 +67,8 @@ Deployment Guide at these locations:
| Topic | Description
| - | - |
| [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. |
-| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security deployment goals. |
-| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
-| [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Defender Firewall to improve the security of the computers connected to the network. |
+| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security implementation goals. |
+| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
| [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
| [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). |
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 3261e0545f..9718aa85cf 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Firewall with Advanced Security (Windows 10)
-description: Windows Defender Firewall with Advanced Security
+description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -25,10 +25,17 @@ ms.custom: asr
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
+## Overview of Windows Defender Firewall with Advanced Security
+
+Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
+
+The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+
+
+
## Feature description
-Windows Defender Firewall with Advanced Security
-is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
+Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
## Practical applications
@@ -41,12 +48,4 @@ To help address your organizational network security challenges, Windows Defende
- **Extends the value of existing investments.** Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
-## In this section
-| Topic | Description
-| - | - |
-| [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Microsoft Store apps that run on devices. |
-| [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
-| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. |
-| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. |
-| [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Defender Firewall with Advanced Security. |
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index fa85062872..e7b8a53f7a 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -35,7 +35,7 @@ The following video provides an overview of Windows Sandbox.
## Prerequisites
-- Windows 10 Pro or Enterprise build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
+- Windows 10 Pro, Enterprise or Education build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
- AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
@@ -48,7 +48,7 @@ The following video provides an overview of Windows Sandbox.
2. Enable virtualization on the machine.
- If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization: **Set -VMProcessor -VMName \ -ExposeVirtualizationExtensions $true**
+ - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization: **Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true**
1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
- If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md
index 2b22a606de..c2522f3e4c 100644
--- a/windows/whats-new/get-started-with-1709.md
+++ b/windows/whats-new/get-started-with-1709.md
@@ -1,6 +1,6 @@
---
title: Get started with Windows 10, version 1709
-description: Learn the dos and don'ts for getting started with Windows 10, version 1709.
+description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history.
keywords: ["get started", "windows 10", "fall creators update", "1709"]
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 8c41f40e80..591f85814f 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -46,7 +46,7 @@ This version of Window 10 includes security improvements for threat protection,
#### Windows Defender ATP
-The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
+The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform includes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
@@ -99,7 +99,7 @@ Endpoint detection and response is improved. Enterprise customers can now take a
- Upgraded detections of ransomware and other advanced attacks.
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
- **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
+ **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
@@ -128,7 +128,7 @@ This also means you’ll see more links to other security apps within **Windows
You can read more about ransomware mitigations and detection capability at:
- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf)
+- [Ransomware security intelligence](https://docs.microsoft.com/windows/security/threat-protection/intelligence/ransomware-malware)
- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
@@ -185,7 +185,7 @@ Improvements have been added are to Windows Hello for Business and Credential Gu
New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present.
-New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude:
+New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) include:
- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
@@ -208,7 +208,7 @@ Windows Defender Credential Guard has always been an optional feature, but Windo
For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
-### Other security improvments
+### Other security improvements
#### Windows security baselines
@@ -259,17 +259,6 @@ Using Intune, Autopilot now enables locking the device during provisioning durin
You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
-#### Windows Autopilot self-deploying mode
-
-Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot.
-
-This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
-
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
-
-To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying).
-
-
#### Autopilot Reset
IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
@@ -413,7 +402,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro
### Co-management
-Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
@@ -456,7 +445,7 @@ Windows Update for Business now provides greater control over updates, with the
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
@@ -465,7 +454,7 @@ Windows Update for Business now provides greater control over updates, with the
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 2f32d6a64d..9d74b2f7b8 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -150,7 +150,7 @@ New features for Microsoft Defender AV in Windows 10, version 1703 include:
In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
-You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
+You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [ransomware information topic](https://docs.microsoft.com/windows/security/threat-protection/intelligence/ransomware-malware) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
### Device Guard and Credential Guard
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index ba0090d559..309ce421df 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -1,7 +1,7 @@
---
title: What's new in Windows 10, version 1809
ms.reviewer:
-description: New and updated features in Windows 10, version 1809
+description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803.
keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"]
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 8518f5c4af..8c86914b6b 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -124,6 +124,16 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
+## Networking
+
+### Wi-Fi 6 and WPA3
+
+Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
+
+### TEAP
+
+In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
+
## Virtualization
### Windows Sandbox
Expand a category.
Select a setting.
Enter a value for the setting. Click Add if the button is displayed.
Some settings, such as this example, require additional information. In Available customizations, select the value you just created, and additional settings are displayed.
When the setting is configured, it is displayed in the Selected customizations pane.
+ 
5. Click **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
- ```
+ ```powershell
cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
abortpxe.com
@@ -342,31 +346,32 @@ WDSUTIL /Set-Server /AnswerClients:None
wdsmgfw.efi
wdsnbp.com
```
+
>If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
>You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
- ```
+ ```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
```
The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
- Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
+ `Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"`
Once the files are present in the REMINST share location, you can close the cmtrace tool.
-### Create a branding image file
+### Create a branding image file
1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
2. Type the following command at an elevated Windows PowerShell prompt:
+ ```powershell
+ Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp"
```
- copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
- ```
+
>You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-
-### Create a boot image for Configuration Manager
+### Create a boot image for Configuration Manager
1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
@@ -380,13 +385,13 @@ WDSUTIL /Set-Server /AnswerClients:None
9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
```
-
+
In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
- ```
+ ```console
STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
```
@@ -395,7 +400,7 @@ WDSUTIL /Set-Server /AnswerClients:None
13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
- ```
+ ```console
cmd /c dir /s /b C:\RemoteInstall\SMSImages
C:\RemoteInstall\SMSImages\PS100004
@@ -414,9 +419,10 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
- ```
+ ```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
+
2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
@@ -424,12 +430,12 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
5. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**
+
+
+
@@ -241,7 +247,8 @@ More information: 
-Subcategory: 
@@ -189,28 +189,27 @@ For 4688(S): A new process has been created.
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
