Merge remote-tracking branch 'origin/master' into atp-updates-improvs

devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md

@@ -32,7 +32,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f
 
 ### User sign-in
 
-Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without requiring a user to sign in. To enable this communal functionality, Surface Hub does not support Windows sign-in the same way that Windows 10 Enterprise does (e.g., signing in a user to the OS and using those crednetials throughout the OS). Instead, there is always a local, auto signed-in, low-privilege user signed in to the Surface Hub. It doesn't support signing in any additional users, including admin users (e.g., when an admin signs in, they are not signed in to the OS).
+Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without requiring a user to sign in. To enable this communal functionality, Surface Hub does not support Windows sign-in the same way that Windows 10 Enterprise does (e.g., signing in a user to the OS and using those credentials throughout the OS). Instead, there is always a local, auto signed-in, low-privilege user signed in to the Surface Hub. It doesn't support signing in any additional users, including admin users (e.g., when an admin signs in, they are not signed in to the OS).
 
 Users can sign in to a Surface Hub, but they will not be signed in to the OS. For example, when a user signs in to Apps or My Meetings and Files, the users is signed in only to the apps or services, not to the OS. As a result, the signed-in user is able to retrieve their cloud files and personal meetings stored in the cloud, and these credentials are discarded when **End session** is activated.
 
@@ -168,4 +168,4 @@ Users can sign in to Microsoft Edge to access intranet sites and online resource
 
 The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
 
-*Organization policies that this may affect:* <br> Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.
+*Organization policies that this may affect:* <br> Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.

devices/surface-hub/prepare-your-environment-for-surface-hub.md

@@ -68,7 +68,7 @@ Surface Hub interacts with a few different products and services. Depending on t
 
 A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
 
-After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
+After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
 
  
 
@@ -118,6 +118,7 @@ When you go through the first-run program for your Surface Hub, there's some inf
 ## More information
 
 - [Surface Hub and the Skype for Business Trusted Domain List](https://blogs.technet.microsoft.com/y0av/2017/10/25/95/)
+- [Surface Hub in a Multi-Domain Environment](https://blogs.technet.microsoft.com/y0av/2017/11/08/11/)
 
  
 

education/windows/change-history-edu.md

@@ -20,6 +20,8 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
 | New or changed topic | Description |
 | --- | ---- |
 | [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the the list of device manufacturers. |
+| [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
+| [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
 
 ## RELEASE: Windows 10, version 1709 (Fall Creators Update)
 

education/windows/take-a-test-multiple-pcs.md

@@ -233,9 +233,9 @@ One of the ways you can present content in a locked down manner is by embedding
 2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
 
   - `&enableTextSuggestions` - Enables text suggestions
-  - `&enablePrint` - Enables printing
+  - `&requirePrinting` - Enables printing
   - `&enableScreenCapture` - Enables screen capture
-  - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability. 
+  - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. 
 
   If you exclude these parameters, the default behavior is disabled.
 

education/windows/take-a-test-single-pc.md

@@ -97,9 +97,9 @@ One of the ways you can present content in a locked down manner is by embedding
 2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
 
   - `&enableTextSuggestions` - Enables text suggestions
-  - `&enablePrint` - Enables printing
+  - `&requirePrinting` - Enables printing
   - `&enableScreenCapture` - Enables screen capture
-  - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability. 
+  - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. 
 
   If you exclude these parameters, the default behavior is disabled.
 

windows/application-management/manage-windows-mixed-reality.md

@@ -65,22 +65,22 @@ In the following example, the **Id** can be any generated GUID and the **Name**
                     <Type xmlns="syncml:metinf">text/plain</Type>
                 </Meta>
                 <Data>  
- &lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
+                  &lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
-    &lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
+                   &lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
-      &lt;Conditions&gt;
+                    &lt;Conditions&gt;
-        &lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
+                      &lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
-          &lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
+                        &lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
-        &lt;/FilePublisherCondition&gt;
+                      &lt;/FilePublisherCondition&gt;
-      &lt;/Conditions&gt;
+                    &lt;/Conditions&gt;
-    &lt;/FilePublisherRule&gt;
+                  &lt;/FilePublisherRule&gt;
-    &lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
+                  &lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
-      &lt;Conditions&gt;
+                   &lt;Conditions&gt;
-        &lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
+                     &lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
-          &lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
+                      &lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
-        &lt;/FilePublisherCondition&gt;
+                      &lt;/FilePublisherCondition&gt;
-      &lt;/Conditions&gt;
+                    &lt;/Conditions&gt;
-    &lt;/FilePublisherRule&gt;
+                  &lt;/FilePublisherRule&gt;
-  &lt;/RuleCollection&gt;&gt;
+                 &lt;/RuleCollection&gt;&gt;
                 </Data>
             </Item>
         </Add>

windows/client-management/mdm/applocker-csp.md

@@ -876,29 +876,28 @@ The following example disables the Mixed Reality Portal. In the example, the **I
                     <Type xmlns="syncml:metinf">text/plain</Type>
                 </Meta>
                 <Data>  
- &lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
+                  &lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
-    &lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
+                   &lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
-      &lt;Conditions&gt;
+                    &lt;Conditions&gt;
-        &lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
+                      &lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
-          &lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
+                        &lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
-        &lt;/FilePublisherCondition&gt;
+                      &lt;/FilePublisherCondition&gt;
-      &lt;/Conditions&gt;
+                    &lt;/Conditions&gt;
-    &lt;/FilePublisherRule&gt;
+                  &lt;/FilePublisherRule&gt;
-    &lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
+                  &lt;FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
-      &lt;Conditions&gt;
+                   &lt;Conditions&gt;
-        &lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
+                     &lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"&gt;
-          &lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
+                      &lt;BinaryVersionRange LowSection="*" HighSection="*" /&gt;
-        &lt;/FilePublisherCondition&gt;
+                      &lt;/FilePublisherCondition&gt;
-      &lt;/Conditions&gt;
+                    &lt;/Conditions&gt;
-    &lt;/FilePublisherRule&gt;
+                  &lt;/FilePublisherRule&gt;
-  &lt;/RuleCollection&gt;&gt;
+                 &lt;/RuleCollection&gt;&gt;
                 </Data>
             </Item>
         </Add>
         <Final/>
     </SyncBody>
 </SyncML>
-
 ``` 
 
 The following example for Windows 10 Mobile denies all apps and allows the following apps:

windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md

@@ -373,7 +373,7 @@ Figure 9. The Windows 10 desktop with the Resume Task Sequence shortcut.
 When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer 11 behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use Internet Explorer Administration Kit (IEAK).
 
 >[!WARNING]
->Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml 
+>Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used.
 
 >[!NOTE]  
 >You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing.
@@ -469,8 +469,8 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which
     2.  ISO file name: MDT Build Lab x64.iso
 8.  Click **OK**.
 
-**Note**  
+>[!NOTE]  
-In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).
+>In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).
  
 
 ### Update the deployment share
@@ -480,8 +480,8 @@ After the deployment share has been configured, it needs to be updated. This is
 1.  Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**.
 2.  Use the default options for the Update Deployment Share Wizard.
 
-**Note**  
+>[!NOTE]  
-The update process will take 5 to 10 minutes.
+>The update process will take 5 to 10 minutes.
  
 ### The rules explained
 
@@ -491,8 +491,8 @@ The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini
 
 The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media).
 
-**Note**  
+>[!NOTE]  
-The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.
+>The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.
  
 ### The Bootstrap.ini file
 
@@ -519,8 +519,8 @@ So, what are these settings?
      
 -   **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.
 
-**Note**  
+>[!NOTE]  
-All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.
+>All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.
  
 ### The CustomSettings.ini file
 

windows/deployment/upgrade/upgrade-readiness-additional-insights.md

@@ -17,7 +17,7 @@ This topic provides information on additional features that are available in Upg
 The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
 
 > [!NOTE] 
-> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, data will be collected on all sites visited by Microsoft Edge on computers running Windows 10 version 1803 (including Insider Preview builds) or newer.  The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
 
 ### Install prerequisite security update for Internet Explorer
 

windows/deployment/upgrade/upgrade-readiness-requirements.md

@@ -57,6 +57,7 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
 `https://v10.vortex-win.data.microsoft.com/collect/v1`<BR>
 `https://vortex-win.data.microsoft.com/health/keepalive`<BR>
 `https://settings.data.microsoft.com/qos`<BR>
+`https://settings-win.data.microsoft.com/qos`<BR>
 `https://go.microsoft.com/fwlink/?LinkID=544713`<BR>
 `https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc`<BR>
 

windows/device-security/device-guard/deploy-code-integrity-policies-steps.md

@@ -73,6 +73,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 |Matt Nelson | @enigma0x3| 
 |Oddvar Moe |@Oddvarmoe|
 |Alex Ionescu | @aionescu|
+|Lee Christensen|@tifkin_|
 
 <br />
 
@@ -134,6 +135,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
     <Deny  ID="ID_DENY_FSI_ANYCPU"    FriendlyName="fsiAnyCpu.exe"      FileName="fsiAnyCpu.exe" MinimumFileVersion = "65535.65535.65535.65535" />
     <Deny  ID="ID_DENY_MSHTA"         FriendlyName="mshta.exe"          FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
     <Deny  ID="ID_DENY_VISUALUIAVERIFY"         FriendlyName="visualuiaverifynative.exe"          FileName="visualuiaverifynative.exe" MinimumFileVersion = "65535.65535.65535.65535" />
+    <Deny  ID="ID_DENY_RUNSCRIPTHELPER"         FriendlyName="runscripthelper.exe"                FileName="runscripthelper.exe" MinimumFileVersion="65535.65535.65535.65535" />
 
     <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6" />
     <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF" />
@@ -418,6 +420,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
           <FileRuleRef RuleID="ID_DENY_FSI_ANYCPU" />
           <FileRuleRef RuleID="ID_DENY_MSHTA" />
           <FileRuleRef RuleID="ID_DENY_VISUALUIAVERIFY" />
+          <FileRuleRef RuleID="ID_DENY_RUNSCRIPTHELPER"/>
           <FileRuleRef RuleID="ID_DENY_D_1" />
           <FileRuleRef RuleID="ID_DENY_D_2" />
           <FileRuleRef RuleID="ID_DENY_D_3" />

windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md

@@ -606,9 +606,9 @@ Here are the minimum steps for WEF to operate:
   <Query Id="7" Path="Microsoft-Windows-DNS-Client/Operational">
     <!-- DNS Client events Query Completed (3008) -->
     <Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]</Select>
-<!—suppresses local machine name resolution events-->
+<!-- suppresses local machine name resolution events -->
 <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress>
-<!—suppresses empty name resolution events -->
+<!-- suppresses empty name resolution events -->
 <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]</Suppress>
   </Query>
   <Query Id="8" Path="Security">
@@ -636,7 +636,7 @@ Here are the minimum steps for WEF to operate:
     <Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(EventID=2004)]]</Select>
   </Query>
 <Query Id="14" Path=" Windows PowerShell">
-    <!—Legacy PowerShell pipeline execution details (800) -->
+    <!-- Legacy PowerShell pipeline execution details (800) -->
     <Select Path=" Windows PowerShell">*[System[(EventID=800)]]</Select>
   </Query>
 </QueryList> 
@@ -650,4 +650,4 @@ You can get more info with the following links:
 -   [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx)
 -   [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
 
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md). 
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md). 

windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 06/13/2017
+ms.date: 10/30/2017
 ---
 
 # Configure and validate exclusions based on file extension and folder location
@@ -38,6 +38,11 @@ ms.date: 06/13/2017
 
 You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists. 
 
+Generally, you shouldn't need to apply exclusions. Windows Defender AV includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+
+>[!TIP]
+>The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
+
 This topic describes how to configure exclusion lists for the following:
 
 Exclusion | Examples | Exclusion list
@@ -48,20 +53,29 @@ A specific file in a specific folder | The file c:\sample\sample.test only | Fil
 A specific process | The executable file c:\test\process.exe | File and folder exclusions
 
 This means the exclusion lists have the following characteristics:
-- Folder exclusions will apply to all files and folders under that folder.
+- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
-- File extensions will apply to any file name with the defined extension, regardless of where the file is located.
+- File extensions will apply to any file name with the defined extension if a path or folder is not defined.
+
+>[!IMPORTANT]
+>The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
+>
+>You cannot exclude mapped network drives. You must specify the actual network path.
+>
+>Folders that are reparse points that are created after the Windows Defender AV service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
+
+
 
 
 To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic.
 
 
-The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
+The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md).
 
-Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+>[!IMPORTANT]
+>Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). 
+>
+>Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
 
-You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
-
-You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists. 
 
 
 By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. 
@@ -79,7 +93,7 @@ You can [configure how locally and globally defined exclusions lists are merged]
 **Use Group Policy to configure folder or file extension exclusions:**
 
 >[!NOTE]
->If you include a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.
+>If you specify a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -94,7 +108,7 @@ You can [configure how locally and globally defined exclusions lists are merged]
 
     1. Set the option to **Enabled**. 
     2. Under the **Options** section, click **Show...**
-    3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes.
+    3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
 
 7. Click **OK**. 
 
@@ -104,7 +118,7 @@ You can [configure how locally and globally defined exclusions lists are merged]
 
     1. Set the option to **Enabled**. 
     2. Under the **Options** section, click **Show...**
-    3. Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column for all processes.
+    3. Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column.
 
 
 9. Click **OK**. 
@@ -187,23 +201,102 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende
 <a id="wildcards"></a>
 ## Use wildcards in the file name and folder path or extension exclusion lists
 
-You can use the asterisk \*, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list.
+You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages, so you should read this section to understand their specific limitations.
 
 >[!IMPORTANT]
->Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
+>There are key limitations and usage scenarios for these wildcards:
-
+>
-You cannot use a wildcard in place of a drive letter.
+>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
+>- You cannot use a wildcard in place of a drive letter.
+>- The use of asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
 
 
 The following table describes how the wildcards can be used and provides some examples.
+<table>
+    <tr>
+        <th>Wildcard</th>
+        <th>Use in file and file extension exclusions</th>
+        <th>Use in folder exclusions</th>
+        <th>Example use</th>
+        <th>Example matches></th>
+    </tr>
+    <tr>
+        <td><b>\*</b> (asterisk)</td>
+        <td>Replaces any number of characters. <br />Only applies to files in the last folder defined in the argument. </td>
+        <td>Replaces a single folder. <br />Use multiple <b>\*</b> with folder slashes <b>\\</b> to indicate multiple, nested folders. </br>After matching to the number of wilcarded and named folders, all subfolders will also be included.</td>
+        <td>
+            <ol>
+                <li>C:\MyData\\<b>\*</b>.txt</li>
+                <li>C:\somepath\\<b>\*</b>\Data</li>
+                <li>C:\Serv\\<b>\*</b>\\<b>\*</b>\Backup
+            </ol>
+        </td>
+        <td>
+            <ol>
+                <li><i>C:\MyData\\<b>notes</b>.txt</i></li>
+                <li>Any file in: 
+                    <ul>
+                        <li><i>C:\somepath\\<b>Archives</b>\Data</i> and its subfolders</li>
+                        <li><i>C:\somepath\\<b>Authorized</b>\Data</i> and its subfolders</li>
+                    </ul>
+                <li>Any file in:
+                <ul>
+                    <li><i>C:\Serv\\<b>Primary</b>\\<b>Denied</b>\Backup</i> and its subfolders</li>
+                    <li><i>C:\Serv\\<b>Secondary</b>\\<b>Allowed</b>\Backup</i> and its subfolders</li>
+                </ul>
+            </ol>
+        </td>
+    </tr>
+    <tr>
+        <td>
+            <b>?</b> (question mark) 
+        </td>
+        <td>
+            Replaces a single character. <br />
+            Only applies to files in the last folder defined in the argument.
+        </td>
+        <td>
+            Replaces a single character in a folder name. </br>
+            After matching to the number of wilcarded and named folders, all subfolders will also be included.
+        </td>
+        <td>
+            <ol>
+                <li>C:\MyData\my<b>?</b>.zip</li>
+                <li>C:\somepath\\<b>?</b>\Data</li>
+                <li>C:\somepath\test0<b>?</b>\Data</li>
+            </ol>
+        </td>
+        <td>
+            <ol>
+                <li><i>C:\MyData\my<b>1</b>.zip</i></li>
+                <li>Any file in <i>C:\somepath\\<b>P</b>\Data</i> and its subfolders</li>
+                <li>Any file in <i>C:\somepath\test0<b>1</b>\Data</i> and its subfolders</li>
+            </ol>
+        </td>
+    </tr>
+    <tr>
+        <td>Environment variables</td>
+        <td>The defined variable will be populated as a path when the exclusion is evaluated.</td>
+        <td>Same as file and extension use. </td>
+        <td>
+            <ol>
+                <li><b>%ALLUSERSPROFILE%</b>\CustomLogFiles</li>
+            </ol> 
+        </td>
+        <td>
+            <ol>
+                <li><i><b>C:\ProgramData</b>\CustomLogFiles\Folder1\file1.txt</i></li>
+            </ol>
+        </td>
+    </tr>
+</table>
 
-Wildcard | Use | Example use | Example matches
+>[!IMPORTANT]
----|---|---|---
+>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
-\* (asterisk) | Replaces any number of characters | <ul><li>C:\MyData\my\*.zip</li><li>C:\somepath\\\*\Data</li></ul> | <ul><li>C:\MyData\my-archived-files-43.zip</li><li>Any file in C:\somepath\folder1\folder2\Data</li></ul>
+>
-? (question mark) | Replaces a single character | <ul><li>C:\MyData\my\?.zip</li><li>C:\somepath\\\?\Data</li></ul> | <ul><li>C:\MyData\my1.zip</li><li>Any file in C:\somepath\P\Data</li></ul>
+>For example, you can exclude all files that start with "date" in the folders *c:\data\final\marked* and *c:\data\review\marked* by using the rule argument <b>c:\data\\\*\marked\date*.\*</b>.
-Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |  <ul><li>%ALLUSERSPROFILE%\CustomLogFiles</li></ul> | <ul><li>C:\ProgramData\CustomLogFiles\Folder1\file1.txt</li></ul>
+>
-
+>This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*.
-
 
 
 <a id="review"></a>
@@ -211,6 +304,11 @@ Environment variables | The defined variable will be populated as a path when th
 
 You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
 
+>[!IMPORTANT]
+>Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). 
+>
+>Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+
 If you use PowerShell, you can retrieve the list in two ways:
 
 - Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
@@ -273,6 +371,14 @@ $client = new-object System.Net.WebClient
 $client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
 ```
 
+If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command:
+
+```PowerShell
+[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
+```
+
+You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
+
 
 
 ## Related topics

windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md

@@ -19,6 +19,15 @@ Answering frequently asked questions about Windows Defender Application Guard (A
 
 ## Frequently Asked Questions
 
+| | |
+|---|----------------------------|
+|**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?|
+|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
+||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount       - Default is 4 cores. |
+||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB            - Default is 8GB.|
+||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.|
+<br>
+
 | | |
 |---|----------------------------|
 |**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|

windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md

@@ -17,12 +17,15 @@ ms.date: 08/11/2017
 
 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
 
+>[!NOTE]
+>Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
+
 ## Hardware requirements
 Your environment needs the following hardware to run Windows Defender Application Guard.
 
 |Hardware|Description|
 |--------|-----------|
-|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
+|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
 |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
 |Hardware memory|Microsoft recommends 8GB RAM for optimal performance|
 |Hard disk|5 GB free space, solid state disk (SSD) recommended|

windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 localizationpriority: high
-ms.date: 11/07/2017
+ms.date: 11/08/2017
 ---
 
 # Configure non-Windows endpoints
@@ -20,7 +20,7 @@ ms.date: 11/07/2017
 - Linux
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
+[!include[Prerelease information](prerelease.md)]
 
 Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. 
 

windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md

@@ -55,6 +55,9 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you
 - [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)<br>
     Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities.
 
+- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)<br>
+Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. 
+
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)  
 

windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md

@@ -173,7 +173,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you
 
 This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
 
-On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
+On Windows 10, version 1709 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
 
 >[!NOTE]
 >You’ll be able to reconnect the machine back to the network at any time.