Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

windows/deployment/upgrade/log-files.md

@@ -35,7 +35,7 @@ The following table describes some log files and how to use them for troubleshoo
 <br>
 
 <table>
-<tr><td BGCOLOR="#a0e4fa"><B>Log file</td><td BGCOLOR="#a0e4fa"><B>Phase: Location</td><td BGCOLOR="#a0e4fa"><B>Description</td><td BGCOLOR="#a0e4fa"><B>When to use</td>
+<tr><td BGCOLOR="#a0e4fa"><font color="#000000"><B>Log file</td><td BGCOLOR="#a0e4fa"><font color="#000000"><B>Phase: Location</td><td BGCOLOR="#a0e4fa"><font color="#000000"><B>Description</td><td BGCOLOR="#a0e4fa"><font color="#000000"><B>When to use</td>
 <tr><td rowspan="5">setupact.log</td><td>Down-Level:<br>$Windows.~BT\Sources\Panther</td><td>Contains information about setup actions during the downlevel phase. </td>
 <td>All down-level failures and starting point for rollback investigations.<br> This is the most important log for diagnosing setup issues.</td>
 <tr><td>OOBE:<br>$Windows.~BT\Sources\Panther\UnattendGC</td>
@@ -52,7 +52,7 @@ setupapi.dev.log<br>
 Event logs (*.evtx)</td>
 <td>$Windows.~BT\Sources\Rollback<td>Additional logs collected during rollback.</td>
 <td>
-Setupmem.dmp: If OS bugchecks during upgrade, setup will attempt to extract a mini-dump.<br>
+Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump.<br>
 Setupapi: Device install issues - 0x30018<br>
 Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.</td>
 </table>

windows/deployment/upgrade/resolution-procedures.md

@@ -513,9 +513,9 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
 <br /><table>
 
 <tr>
-<td BGCOLOR="#a0e4fa"><b>Error code</b></th>
-<td BGCOLOR="#a0e4fa"><b>Cause</b></th>
-<td BGCOLOR="#a0e4fa"><b>Mitigation</b></th>
+<td BGCOLOR="#a0e4fa"><font color="#000000"><b>Error code</b></font></td>
+<td BGCOLOR="#a0e4fa"><font color="#000000"><b>Cause</b></font></td>
+<td BGCOLOR="#a0e4fa"><font color="#000000"><b>Mitigation</b></font></td>
 </tr>
 
 <tr>
@@ -647,7 +647,7 @@ For detailed information on how to run these steps check out <a href="https://bl
 
 <br><table>
 
-<tr><td BGCOLOR="#a0e4fa">Error Codes<td BGCOLOR="#a0e4fa">Cause<td BGCOLOR="#a0e4fa">Mitigation</td></tr>
+<tr><td BGCOLOR="#a0e4fa"><font color="#000000">Error Codes<td BGCOLOR="#a0e4fa"><font color="#000000">Cause<td BGCOLOR="#a0e4fa"><font color="#000000">Mitigation</td></tr>
 <tr><td>0x80070003- 0x20007
 <td>This is a failure during SafeOS phase driver installation.
 

windows/deployment/upgrade/upgrade-error-codes.md

@@ -91,7 +91,7 @@ The following tables provide the corresponding phase and operation for values of
 <br>
 
 <table cellspacing="0" cellpadding="0">
-<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><b>Extend code: phase</b></td>
+<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><font color="#000000"><b>Extend code: phase</b></td>
 <tr><td style='padding:0in 4pt 0in 4pt'><b>Hex</b><td style='padding:0in 5.4pt 0in 5.4pt'><b>Phase</b>
 <tr><td style='padding:0in 4pt 0in 4pt'>0<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_UNKNOWN
 <tr><td style='padding:0in 4pt 0in 4pt'>1<td style='padding:0in 4pt 0in 4pt'>SP_EXECUTION_DOWNLEVEL
@@ -103,7 +103,7 @@ The following tables provide the corresponding phase and operation for values of
 
 
 <table border="0" style='border-collapse:collapse;border:none'>
-<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><B>Extend code: operation</B></td>
+<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><font color="#000000"><B>Extend code: operation</B></td>
 <tr><td align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
 <table>
 <tr><td style='padding:0in 4pt 0in 4pt'><b>Hex</b><td style='padding:0in 4pt 0in 4pt'><span style='padding:0in 5.4pt 0in 5.4pt;'><b>Operation</b>

windows/deployment/windows-10-poc.md

@@ -2,7 +2,8 @@
 title: Configure a test lab to deploy Windows 10
 ms.reviewer: 
 manager: laurawi
-ms.audience: itpro
author: greg-lindsay
+ms.audience: itpro
+author: greg-lindsay
 description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,7 +11,8 @@ ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, mdt, sccm
 ms.localizationpriority: medium
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
 ms.topic: article
 ---
 
@@ -50,7 +52,7 @@ Topics and procedures in this guide are summarized in the following table. An es
 <div style='font-size:9.0pt'>
 
 <table border="1" cellspacing="0" cellpadding="0">
-<tr><TD BGCOLOR="#a0e4fa"><B>Topic</B></td><TD BGCOLOR="#a0e4fa"><B>Description</B></td><TD BGCOLOR="#a0e4fa"><B>Time</B></td></tr>
+<tr><TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Topic</B></font></td><TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Description</B></font></td><TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Time</B></font></td></tr>
 <tr><td><a href="#hardware-and-software-requirements" data-raw-source="[Hardware and software requirements](#hardware-and-software-requirements)">Hardware and software requirements</a><td>Prerequisites to complete this guide.<td>Informational
 <tr><td><a href="#lab-setup" data-raw-source="[Lab setup](#lab-setup)">Lab setup</a><td>A description and diagram of the PoC environment.<td>Informational
 <tr><td><a href="#configure-the-poc-environment" data-raw-source="[Configure the PoC environment](#configure-the-poc-environment)">Configure the PoC environment</a><td>Parent topic for procedures.<td>Informational
@@ -73,59 +75,59 @@ One computer that meets the hardware and software specifications below is requir
 - **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
 - **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2.
 
-Harware requirements are displayed below:
+Hardware requirements are displayed below:
 
 <div style='font-size:9.0pt'>
 
 <table border="1" cellspacing="0" cellpadding="0">
     <tr>
         <td></td>
-        <td BGCOLOR="#a0e4fa"><strong>Computer 1</strong> (required)</td>
-        <td BGCOLOR="#a0e4fa"><strong>Computer 2</strong> (recommended)</td>
+        <td BGCOLOR="#a0e4fa"><strong><font color="#000000">Computer 1</strong> (required)</font></td>
+        <td BGCOLOR="#a0e4fa"><strong><font color="#000000">Computer 2</strong> (recommended)</font></td>
     </tr>
     <tr>
-        <td BGCOLOR="#a0e4fa"><strong>Role</strong></td>
+        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Role</strong></font></td>
         <td>Hyper-V host</td>
         <td>Client computer</td>
     </tr>
     <tr>
-        <td BGCOLOR="#a0e4fa"><strong>Description</strong></td>
+        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Description</strong></font></td>
         <td>This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.</td>
         <td>This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.</td>
     </tr>
     <tr>
-        <td BGCOLOR="#a0e4fa"><strong>OS</strong></td>
+        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>OS</strong></font></td>
         <td>Windows 8.1/10 or Windows Server 2012/2012 R2/2016<b>*</b></td>
         <td>Windows 7 or a later</td>
     </tr>
     <tr>
-        <td BGCOLOR="#a0e4fa"><strong>Edition</strong></td>
+        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Edition</strong></font></td>
         <td>Enterprise, Professional, or Education</td>
         <td>Any</td>
     </tr>
     <tr>
-        <td BGCOLOR="#a0e4fa"><strong>Architecture</strong></td>
+        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Architecture</strong></font></td>
         <td>64-bit</td>
         <td>Any<BR><I>Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.</I></td>
     </tr>
     <tr>
-        <td BGCOLOR="#a0e4fa"><strong>RAM</strong></td>
+        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>RAM</strong></font></td>
         <td>8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
         <BR>16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.</td>
         <td>Any</td>
     </tr>
     <tr>
-        <td BGCOLOR="#a0e4fa"><strong>Disk</strong></td>
+        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Disk</strong></font></td>
         <td>200 GB available hard disk space, any format.</td>
         <td>Any size, MBR formatted.</td>
     </tr>
     <tr>
-        <td BGCOLOR="#a0e4fa"><strong>CPU</strong></td>
+        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>CPU</strong></font></td>
         <td>SLAT-Capable CPU</td>
         <td>Any</td>
     </tr>
     <tr>
-        <td BGCOLOR="#a0e4fa"><strong>Network</strong></td>
+        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Network</strong></font></td>
         <td>Internet connection</td>
         <td>Any</td>
     </tr>
@@ -631,7 +633,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Dismount-VHD -Path c:\vhd\d.vhd
     </pre>
 
-    Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell promt):
+    Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt):
 
     <pre style="overflow-y: visible">
     New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
@@ -821,7 +823,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
 
-    To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
+    To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
 
     ```
     ipconfig
@@ -964,7 +966,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
     </pre>
 
-32. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
 
     <pre style="overflow-y: visible">
     Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
@@ -976,7 +978,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     ping www.microsoft.com
     </pre>
 
-    If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
+    If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
 
     **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
 
@@ -1032,10 +1034,10 @@ Use the following procedures to verify that the PoC environment is configured pr
     **DCDiag** displays "passed test" for all tests.<BR>
     **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.<BR>
     **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.<BR>
-    **Resolve-DnsName** displays public IP address results for www.microsoft.com.<BR>
-    **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.<BR>
+    **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.<BR>
+    **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.<BR>
     **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).<BR>
-    **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
+    **ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
 
 2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
 
@@ -1049,8 +1051,8 @@ Use the following procedures to verify that the PoC environment is configured pr
 
     **Get-Service** displays a status of "Running" for both services.<BR>
     **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.<BR>
-    **Resolve-DnsName** displays public IP address results for www.microsoft.com.<BR>
-    **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.<BR>
+    **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.<BR>
+    **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.<BR>
     **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
 
 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -1065,9 +1067,9 @@ Use the following procedures to verify that the PoC environment is configured pr
 
     **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.<BR>
     **hostname** displays the name of the local computer, for example W7PC-001.<BR>
-    **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.<BR>
-    **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.<BR>
-    **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
+    **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.<BR>
+    **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.<BR>
+    **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
 
 
 ## Appendix B: Terminology used in this guide
@@ -1077,7 +1079,8 @@ Use the following procedures to verify that the PoC environment is configured pr
 <div style='font-size:9.0pt'>
 
 <table border="1" cellspacing="0" cellpadding="0">
-<tr><TD BGCOLOR="#a0e4fa"><B>Term</B><TD BGCOLOR="#a0e4fa"><B>Definition</B>
+<tr><TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Term</B></font>
+<TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Definition</B></font>
 <tr><td>GPT<td>GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
 <tr><td>Hyper-V<td>Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
 <tr><td>Hyper-V host<td>The computer where Hyper-V is installed.

windows/deployment/windows-autopilot/add-devices.md

@@ -104,13 +104,13 @@ Once the hardware IDs have been captured from existing devices, they can be uplo
 -   [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles).  You might already be using MSfB to manage your apps and settings.
 
 A summary of each platform's capabilities is provided below.
-
+<br>
 <table>
 <tr>
-<td BGCOLOR="#a0e4fa"><B>Platform/Portal</th>
-<td BGCOLOR="#a0e4fa"><B>Register devices?</th>
-<td BGCOLOR="#a0e4fa"><B>Create/Assign profile</th>
-<td BGCOLOR="#a0e4fa"><B>Acceptable DeviceID</th>
+<td BGCOLOR="#a0e4fa"><B><font color="#000000">Platform/Portal</font></td>
+<td BGCOLOR="#a0e4fa"><B><font color="#000000">Register devices?</font></td>
+<td BGCOLOR="#a0e4fa"><B><font color="#000000">Create/Assign profile</font></td>
+<td BGCOLOR="#a0e4fa"><B><font color="#000000">Acceptable DeviceID</font></td>
 </tr>
 
 <tr>

windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md

@@ -44,12 +44,21 @@ Each machine in the organization is scored based on three important factors: thr
 
 You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it. 
 
-From the menu, select **Security recommendations** to get an overview of the running list with its weaknesses, related components, application, operating system, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities.
+*Security recommendations option from the left navigation menu* 
 
+1. Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open up the list of security recommendations for the threats and vulnerabilities found in your organization. It gives you an overview of the security recommendation context: weaknesses found, related components, the application and operating system where the threat or vulnerabilities were found, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities. 
 ![Screenshot of Security recommendations page](images/tvm_securityrecommendation-graph.png)
 
->[!NOTE]
-> The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens per change, which means an increase or decrease of even a single machine will change the graph's color.
+    >[!NOTE]
+    > The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what’s on the left,  which means an increase or decrease at the end of even a single machine will change the graph's color.
+
+    You can filter your view based on related components, status, and remediation type. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Active**, then select **Software update** from the **Remediation Type** filter, and click **Apply**.
+    <br></br>![Screenshot of the remediation type filters for software update and uninstall](images/remediationtype_swupdatefilter.png)
+
+2. Select the security recommendation that you need to investigate or process. 
+<br></br>![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec_flyouteolsw.png)
+
+    *Top security recommendations from the dashboard*
 
 In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. 
 

windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md

@@ -1,9 +1,9 @@
 ---
-title: Protect security settings with Tamper Protection
+title: Protect security settings with tamper protection
 ms.reviewer: 
 manager: dansimp
-description: Use Tamper Protection to prevent malicious apps from changing important security settings.
-keywords: malware, defender, antivirus, Tamper Protection
+description: Use tamper protection to prevent malicious apps from changing important security settings.
+keywords: malware, defender, antivirus, tamper protection
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -17,7 +17,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ---
 
-# Protect security settings with Tamper Protection
+# Protect security settings with tamper protection
 
 **Applies to:**
 
@@ -25,9 +25,9 @@ ms.custom: nextgen
 
 ## Overview
 
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper Protection helps prevent this from occurring. 
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring. 
 
-With Tamper Protection, malicious apps are prevented from taking actions like these:
+With tamper protection, malicious apps are prevented from taking actions like these:
 - Disabling virus and threat protection
 - Disabling real-time protection
 - Turning off behavior monitoring
@@ -35,25 +35,40 @@ With Tamper Protection, malicious apps are prevented from taking actions like th
 - Disabling cloud-delivered protection
 - Removing security intelligence updates
 
+Tamper protection now integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Security recommendations include a check to make sure tamper protection is turned on.
+
+![Tamper protection results in security recommendations](../images/securityrecs-tamperprotect.jpg)
+
+In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.
+
+![Turn on tamper protection](images/turnontamperprotection.png)
+
 ## How it works
 
- Tamper Protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
+ Tamper protection essentially locks Windows Defender Antivirus and prevents your security settings from being changed through apps and methods like these:
 - Configuring settings in Registry Editor on your Windows machine 
 - Changing settings through PowerShell cmdlets
 - Editing or removing security settings through group policies
 - and so on.
 
-Tamper Protection doesn't prevent you from viewing your security settings. And, Tamper Protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the Tamper Protection setting; this is managed by your security team.
+Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
 
 ### What do you want to do?
 
-[Turn Tamper Protection on (or off) for an individual machine using Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine)
+[Turn tamper protection on (or off) for an individual machine using Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine)
 
-[Turn Tamper Protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
+[Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
 
-## Turn Tamper Protection on (or off) for an individual machine
+## Turn tamper protection on (or off) for an individual machine
 
-If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn Tamper Protection on or off. You must have appropriate admin permissions on your machine to perform the following task.
+> [!NOTE]
+> Tamper protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
+> 
+> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
+> 
+> Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+
+If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to perform the following task.
 
 1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
 
@@ -61,17 +76,31 @@ If you are a home user, or you are not subject to settings managed by a security
 
 3. Set **Tamper Protection** to **On** or **Off**.
 
-> [!NOTE]
-> Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
-> 
-> To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
-> 
-> Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+### Are you using Windows OS 1709?
 
+If you are using Windows OS 1709, you don't have the Windows Security app. In this case, the one of the following procedures to determine whether tamper protection is enabled.
 
-## Turn Tamper Protection on (or off) for your organization using Intune
+#### To determine whether tamper protection is turned on by using PowerShell
 
-If you are part of your organization's security team, you can turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). (This feature is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.) 
+1. Open the Windows PowerShell app.
+
+2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) PowerShell cmdlet.
+
+3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
+
+#### To determine whether tamper protection is turned on by viewing a registry key
+
+1. Open the Registry Editor app.
+
+2. Go to **HKEY_LOCAL_MACHINE** > **SOFTWARE** > **Microsoft** > **Windows Defender** > **Features**.
+
+3. Look for an entry of **TamperProtection** of type **REG_DWORD**, with a value of **0x5**.<br/>
+    - If you see **TamperProtection** with a value of **0**, tamper protection is not turned on. 
+    - If you do not see **TamperProtection** at all, tamper protection is not turned on.  
+
+## Turn tamper protection on (or off) for your organization using Intune
+
+If you are part of your organization's security team, you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). (This feature is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.) 
 
 You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. 
 
@@ -79,7 +108,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
 
     - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in Microsoft 365 E5. See [Microsoft 365 Enterprise overview](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview) for more details.)
     - Your organization's devices must be managed by [Intune](https://docs.microsoft.com/intune/device-management-capabilities).
-    - Your Windows machines must be running [Windows OS 1903](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) or later.
+    - Your Windows machines must be running [Windows OS 1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) or later.
     - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above)
     - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). (See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
 
@@ -90,44 +119,45 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
 4. Create a profile that includes the following settings:
 
     - **Platform**: Windows 10 and later
+
     - **ProfileType**: Endpoint protection
+    
     - **Settings** > Windows Defender Security Center > Tamper Protection 
 
 5. Assign the profile to one or more groups.
 
 ## Frequently asked questions
 
-### To which Windows OS versions is configuring Tamper Protection is applicable?
+### To which Windows OS versions is configuring tamper protection is applicable?
 
-Windows 1903 May release
+[Windows 1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) or later
 
-### Is configuring Tamper Protection in Intune supported on servers?
+### Is configuring tamper protection in Intune supported on servers?
 
 No
 
-### Will Tamper Protection have any impact on third party antivirus registration?
+### Will tamper protection have any impact on third party antivirus registration?
 
 No, third-party antivirus will continue to register with the Windows Security application.
 
-### What happens if Microsoft Defender Antivirus is not active on a device?
+### What happens if Windows Defender Antivirus is not active on a device?
 
-Tamper Protection will not have any impact on such devices.
+Tamper protection will not have any impact on such devices.
 
-### How can I turn Tamper Protection on/off?
+### How can I turn tamper protection on/off?
 
-If you are a home user, see [Turn Tamper Protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
+If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
 
-If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage Tamper Protection in Intune similar to how you manage other endpoint protection features. See [Turn Tamper Protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
+If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
 
  
-### How does configuring Tamper Protection in Intune affect how I manage Windows Defender Antivirus through my group policy?
+### How does configuring tamper protection in Intune affect how I manage Windows Defender Antivirus through my group policy?
 
-Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
+Your regular group policy doesn’t apply to tamper protection, and changes to Windows Defender Antivirus settings will be ignored when tamper protection is on.
 
 
 >[!NOTE]
->A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by Tamper Protection. 
-To avoid any potential delays, it is recommended to remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow Tamper Protection to protect Windows Defender Antivirus settings. <br><br>
+>A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows Defender Antivirus features protected by tamper protection. To avoid any potential delays, we recommend that you remove settings that control Windows Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Windows Defender Antivirus settings. <br><br>
 > Sample Windows Defender Antivirus settings:<br>
 > Turn off Windows Defender Antivirus <br>
 > Computer Configuration\Administrative Templates\Windows Components\Windows Defender\
@@ -137,31 +167,31 @@ Computer Configuration\Administrative Templates\Windows Components\Windows Defen
 Value DisableRealtimeMonitoring = 0
 
 
-### For Microsoft Defender ATP E5, is configuring Tamper Protection in Intune targeted to the entire organization only?
+### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
 
-Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune.
+Configuring tamper protection in Intune can be targeted to your entire organization as well as to devices and user groups with Intune.
 
-### Can I configure Tamper Protection in System Center Configuration Manager?
+### Can I configure tamper protection in System Center Configuration Manager?
 
-Currently we do not have support to manage Tamper Protection through System Center Configuration Manager.
+Currently we do not have support to manage tamper protection through System Center Configuration Manager.
 
-### I have the Windows E3 enrollment. Can I use configuring Tamper Protection in Intune?
+### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
 
-Currently, configuring Tamper Protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
 
-### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
+### What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration Manager, and Windows Management Instrumentation when tamper protection is enabled on a device?
 
-You won’t be able to change the features that are protected by Tamper Protection; those change requests are ignored.
+You won’t be able to change the features that are protected by tamper protection; those change requests are ignored.
 
-### I’m an enterprise customer. Can local admins change Tamper Protection on their devices?
+### I’m an enterprise customer. Can local admins change tamper protection on their devices?
 
-No. Local admins cannot change or modify Tamper Protection settings.
+No. Local admins cannot change or modify tamper protection settings.
 
 ### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state?
 
-In this case, Tamper Protection status changes, and this feature is no longer applied.
+In this case, tamper protection status changes, and this feature is no longer applied.
 
-### Will there be an alert about Tamper Protection status changing in the Microsoft Defender Security Center?
+### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
 
 Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. 
 
@@ -169,7 +199,7 @@ In addition, your security operations team can use hunting queries, such as the
 
 `AlertEvents | where Title == "Tamper Protection bypass"`
 
-### Will there be a group policy setting for Tamper Protection?
+### Will there be a group policy setting for tamper protection?
 
 No.