diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 7c4e04d4a5..9e9233eb13 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -135,6 +135,22 @@
"moniker_groups": [],
"version": 0
},
+ {
+ "docset_name": "privacy",
+ "build_source_folder": "windows/privacy",
+ "build_output_subfolder": "privacy",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
{
"docset_name": "security",
"build_source_folder": "windows/security",
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index c29fa0959d..5b232fca9e 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -217,6 +217,7 @@
#### [InternetExplorer](policy-csp-internetexplorer.md)
#### [Kerberos](policy-csp-kerberos.md)
#### [KioskBrowser](policy-csp-kioskbrowser.md)
+#### [LanmanWorkstation](policy-csp-lanmanworkstation.md)
#### [Licensing](policy-csp-licensing.md)
#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
#### [Location](policy-csp-location.md)
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 3764a9326f..691891af81 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2535,7 +2535,6 @@ The following list shows the configuration service providers supported in Window
| [DeveloperSetup CSP](developersetup-csp.md) |  | 2 (Provisioning only)|
| [DeviceStatus CSP](devicestatus-csp.md) |  |  |
| [DevInfo CSP](devinfo-csp.md) |  |  |
-| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |
| [DMAcc CSP](dmacc-csp.md) |  |  |
| [DMClient CSP](dmclient-csp.md) |  |  |
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 035cb49656..1ec94b2451 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 03/03/2018
+ms.date: 03/15/2018
---
# What's new in MDM enrollment and management
@@ -30,6 +30,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What's new in Windows 10, version 1607](#whatsnew1607)
- [What's new in Windows 10, version 1703](#whatsnew10)
- [What's new in Windows 10, version 1709](#whatsnew1709)
+- [What's new in Windows 10, version 1803](#whatsnew1803)
- [Change history in MDM documentation](#change-history-in-mdm-documentation)
- [Breaking changes and known issues](#breaking-changes-and-known-issues)
- [Get command inside an atomic command is not supported](#getcommand)
@@ -1124,6 +1125,230 @@ For details about Microsoft mobile device management protocols for Windows 10 s
+## What's new in Windows 10, version 1803
+
+
+
+
+
+
+
+
+
+
+
+[Policy CSP](policy-configuration-service-provider.md) |
+Added the following new policies for Windows 10, version 1803:
+
+- AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration
+- AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold
+- AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter
+- ApplicationDefaults/EnableAppUriHandlers
+- Browser/AllowConfigurationUpdateForBooksLibrary
+- Browser/AlwaysEnableBooksLibrary
+- Browser/EnableExtendedBooksTelemetry
+- Browser/UseSharedFolderForBooks
+- Connectivity/AllowPhonePCLinking
+- DeliveryOptimization/DODelayBackgroundDownloadFromHttp
+- DeliveryOptimization/DODelayForegroundDownloadFromHttp
+- DeliveryOptimization/DOGroupIdSource
+- DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
+- DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
+- DeliveryOptimization/DORestrictPeerSelectionBy
+- DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
+- DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
+- Display/DisablePerProcessDpiForApps
+- Display/EnablePerProcessDpi
+- Display/EnablePerProcessDpiForApps
+- Experience/AllowWindowsSpotlightOnSettings
+- KioskBrowser/BlockedUrlExceptions
+- KioskBrowser/BlockedUrls
+- KioskBrowser/DefaultURL
+- KioskBrowser/EnableHomeButton
+- KioskBrowser/EnableNavigationButtons
+- KioskBrowser/RestartOnIdleTime
+- LanmanWorkstation/EnableInsecureGuestLogons
+- LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
+- LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
+- LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
+- LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
+- LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+- LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+- LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
+- LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
+- LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
+- LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
+- LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
+- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
+- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
+- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+- LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+- LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+- LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+- LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+- LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+- LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
+- LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+- LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
+- LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+- LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+- LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
+- LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+- LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
+- LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
+- RestrictedGroups/ConfigureGroupMembership
+- Search/AllowCortanaInAAD
+- Search/DoNotUseWebResults
+- Security/ConfigureWindowsPasswords
+- System/FeedbackHubAlwaysSaveDiagnosticsLocally
+- SystemServices/ConfigureHomeGroupListenerServiceStartupMode
+- SystemServices/ConfigureHomeGroupProviderServiceStartupMode
+- SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
+- SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
+- SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
+- SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
+- TaskScheduler/EnableXboxGameSaveTask
+- TextInput/AllowHardwareKeyboardTextSuggestions
+- TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
+- TextInput/ForceTouchKeyboardDockedState
+- TextInput/TouchKeyboardDictationButtonAvailability
+- TextInput/TouchKeyboardEmojiButtonAvailability
+- TextInput/TouchKeyboardFullModeAvailability
+- TextInput/TouchKeyboardHandwritingModeAvailability
+- TextInput/TouchKeyboardNarrowModeAvailability
+- TextInput/TouchKeyboardSplitModeAvailability
+- TextInput/TouchKeyboardWideModeAvailability
+- Update/ConfigureFeatureUpdateUninstallPeriod
+- UserRights/AccessCredentialManagerAsTrustedCaller
+- UserRights/AccessFromNetwork
+- UserRights/ActAsPartOfTheOperatingSystem
+- UserRights/AllowLocalLogOn
+- UserRights/BackupFilesAndDirectories
+- UserRights/ChangeSystemTime
+- UserRights/CreateGlobalObjects
+- UserRights/CreatePageFile
+- UserRights/CreatePermanentSharedObjects
+- UserRights/CreateSymbolicLinks
+- UserRights/CreateToken
+- UserRights/DebugPrograms
+- UserRights/DenyAccessFromNetwork
+- UserRights/DenyLocalLogOn
+- UserRights/DenyRemoteDesktopServicesLogOn
+- UserRights/EnableDelegation
+- UserRights/GenerateSecurityAudits
+- UserRights/ImpersonateClient
+- UserRights/IncreaseSchedulingPriority
+- UserRights/LoadUnloadDeviceDrivers
+- UserRights/LockMemory
+- UserRights/ManageAuditingAndSecurityLog
+- UserRights/ManageVolume
+- UserRights/ModifyFirmwareEnvironment
+- UserRights/ModifyObjectLabel
+- UserRights/ProfileSingleProcess
+- UserRights/RemoteShutdown
+- UserRights/RestoreFilesAndDirectories
+- UserRights/TakeOwnership
+- WindowsDefenderSecurityCenter/DisableAccountProtectionUI
+- WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
+- WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
+- WindowsDefenderSecurityCenter/HideSecureBoot
+- WindowsDefenderSecurityCenter/HideTPMTroubleshooting
+
+Security/RequireDeviceEncrption - updated to show it is supported in desktop.
+ |
+
+[BitLocker CSP](bitlocker-csp.md) |
+Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.
+ |
+
+[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |
+Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, version 1803.
+ |
+
+[DMClient CSP](dmclient-csp.md) |
+Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
+
+- AADSendDeviceToken
+- BlockInStatusPage
+- AllowCollectLogsButton
+- CustomErrorText
+- SkipDeviceStatusPage
+- SkipUserStatusPage
+
+ |
+
+[RemoteWipe CSP](remotewipe-csp.md) |
+Added the following nodes in Windows 10, version 1803:
+
+- AutomaticRedeployment
+- doAutomaticRedeployment
+- LastError
+- Status
+
+ |
+
+[Defender CSP](defender-csp.md) |
+Added new node (OfflineScan) in Windows 10, version 1803.
+ |
+
+[UEFI CSP](uefi-csp.md) |
+Added a new CSP in Windows 10, version 1803.
+ |
+
+[Update CSP](update-csp.md) |
+Added the following nodes in Windows 10, version 1803:
+
+- Rollback
+- Rollback/FeatureUpdate
+- Rollback/QualityUpdateStatus
+- Rollback/FeatureUpdateStatus
+
+ |
+
+[AssignedAccess CSP](assignedaccess-csp.md) |
+Added the following nodes in Windows 10, version 1803:
+
+- Status
+- ShellLauncher
+- StatusConfiguration
+
+Updated the AssigneAccessConfiguration schema.
+ |
+
+[MultiSIM CSP](multisim-csp.md) |
+Added a new CSP in Windows 10, version 1803.
+ |
+
+[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |
+Added the following node in Windows 10, version 1803:
+
+- MaintainProcessorArchitectureOnUpdate
+
+ |
+
+[eUICCs CSP](euiccs-csp.md) |
+Added the following node in Windows 10, version 1803:
+
+ |
+
+[DeviceStatus CSP](devicestatus-csp.md) |
+Added the following node in Windows 10, version 1803:
+
+ |
+
+
+
+
## Breaking changes and known issues
### Get command inside an atomic command is not supported
@@ -1431,6 +1656,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
- ApplicationDefaults/EnableAppUriHandlers
- Connectivity/AllowPhonePCLinking
+- RestrictedGroups/ConfigureGroupMembership
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 4648284ec8..c5ec170ba9 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1906,6 +1906,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### LanmanWorkstation policies
+
+
+ -
+ LanmanWorkstation/EnableInsecureGuestLogons
+
+
+
### Licensing policies
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
new file mode 100644
index 0000000000..5c860249fc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -0,0 +1,106 @@
+---
+title: Policy CSP - LanmanWorkstation
+description: Policy CSP - LanmanWorkstation
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 03/16/2018
+---
+
+# Policy CSP - LanmanWorkstation
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## LanmanWorkstation policies
+
+
+ -
+ LanmanWorkstation/EnableInsecureGuestLogons
+
+
+
+
+
+
+
+**LanmanWorkstation/EnableInsecureGuestLogons**
+
+
+
+
+ Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+  |
+  |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1803. This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
+
+If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
+
+If you disable this policy setting, the SMB client will reject insecure guest logons.
+
+Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.
+
+
+
+ADMX Info:
+- GP English name: *Enable insecure guest logons*
+- GP name: *Pol_EnableInsecureGuestLogons*
+- GP ADMX file name: *LanmanWorkstation.admx*
+
+
+
+This setting supports a range of values between 0 and 1.
+
+
+
+
+
+
+
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 8b0251476c..8e59202bfb 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/12/2018
+ms.date: 03/15/2018
---
# Policy CSP - RestrictedGroups
@@ -17,20 +17,22 @@ ms.date: 01/12/2018
-
+
## RestrictedGroups policies
-
- RestrictedGroups/ConfigureGroupMembership
+ RestrictedGroups/ConfigureGroupMembership
+
-
+
+
**RestrictedGroups/ConfigureGroupMembership**
-
+
Home |
@@ -47,13 +49,13 @@ ms.date: 01/12/2018
4 |
4 |
4 |
-  |
-  |
+ |
+ |
-
-
+
+
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@@ -61,19 +63,13 @@ ms.date: 01/12/2018
-
-
-This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership.
+
+
+This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
-> [!Note]
-> This policy is only scoped to the Administrators group at this time.
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
-Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
-
-> [!Note]
-> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
-
-
+
@@ -83,7 +79,7 @@ Using the policy, you can specify what members are part of a group. Any members
-
+
Footnote:
@@ -91,6 +87,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
-
+
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index bab7d12f57..51a8bd92fe 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
-ms.date: 01/10/2018
+ms.date: 03/16/2018
author: greg-lindsay
---
@@ -36,7 +36,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
-Overview of Windows AutoPilot
+Overview of Windows AutoPilot
|
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
new file mode 100644
index 0000000000..06913f7aef
--- /dev/null
+++ b/windows/privacy/TOC.md
@@ -0,0 +1 @@
+# [Index](index.md)
\ No newline at end of file
diff --git a/windows/privacy/breadcrumb/toc.yml b/windows/privacy/breadcrumb/toc.yml
new file mode 100644
index 0000000000..61d8fca61e
--- /dev/null
+++ b/windows/privacy/breadcrumb/toc.yml
@@ -0,0 +1,3 @@
+- name: Docs
+ tocHref: /
+ topicHref: /
\ No newline at end of file
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
new file mode 100644
index 0000000000..e1cbc9d653
--- /dev/null
+++ b/windows/privacy/docfx.json
@@ -0,0 +1,46 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md",
+ "**/*.yml"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "_themes/**",
+ "_themes.pdf/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "_themes/**",
+ "_themes.pdf/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {
+ "breadcrumb_path": "/windows/privacy/breadcrumb/toc.json",
+ "extendBreadcrumb": true
+ },
+ "fileMetadata": {},
+ "template": [],
+ "dest": "privacy",
+ "markdownEngineName": "markdig"
+ }
+}
\ No newline at end of file
diff --git a/windows/privacy/index.md b/windows/privacy/index.md
new file mode 100644
index 0000000000..f20ef925b9
--- /dev/null
+++ b/windows/privacy/index.md
@@ -0,0 +1 @@
+# Welcome to privacy!
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index ca2703df29..e692472aa5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -94,7 +94,7 @@ For many years, Microsoft has recommended using pre-boot authentication to prote
Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
-BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later Modern Standby devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-Modern Standby Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
+BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
You can mitigate the risk of booting to a malicious operating system:
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-appsource.png b/windows/security/threat-protection/windows-defender-atp/images/atp-appsource.png
new file mode 100644
index 0000000000..8fc27a91ef
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-appsource.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-data-ready.png b/windows/security/threat-protection/windows-defender-atp/images/atp-data-ready.png
new file mode 100644
index 0000000000..3495a90989
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-data-ready.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-get-data.png b/windows/security/threat-protection/windows-defender-atp/images/atp-get-data.png
new file mode 100644
index 0000000000..5f7bdc83b7
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-get-data.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-loading.png b/windows/security/threat-protection/windows-defender-atp/images/atp-loading.png
new file mode 100644
index 0000000000..54e4e01b78
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-loading.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-accept.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-accept.png
new file mode 100644
index 0000000000..d36fb7296c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-accept.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png
index 953e4af373..881c69c22c 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-extension.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-extension.png
new file mode 100644
index 0000000000..eb02b6627a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-extension.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-importing.png b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-importing.png
new file mode 100644
index 0000000000..3b20c9a97d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-importing.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
index 9f71bafa2b..36517f85e2 100644
--- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
-ms.date: 10/23/2017
+ms.date: 03/16/2018
---
# Create and build Power BI reports using Windows Defender ATP data
@@ -32,33 +32,94 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
-- Creating a dashboard on the Power BI service
+- Creating a dashboard on the Power BI service:
+ - From the Windows Defender ATP portal or
+ - From the Power BI portal
- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization
You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported.
-## Create a Windows Defender ATP dashboard on Power BI service
+## Create a Power BI dashboard from the Windows Defender ATP portal
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
1. In the navigation pane, select **Preferences setup** > **Power BI reports**.
-
-2. Click **Create dashboard**. This opens up a new tab in your browser and loads the Power BI service with data from your organization.
-
+

+2. Click **Create dashboard**. You'll see a notification that things are being loaded.
+
+ 
+
+
+3. Specify the following details:
+ - **extensionDataSourceKind**: WDATPConnector
+ - **extensionDataSourcePath**: WDATPConnector
+ - **Authentication method**: OAuth2
+
+ 
+
+4. Click **Sign in**. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
+
+ 
+
+5. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
+
+ 
+
>[!NOTE]
- >Loading your data in the Power BI service can take a few minutes.
+ >Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load.
-3. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+ When importing data is completed and the dataset is ready, you’ll the following notification:
- 
+ 
-4. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph.
+6. Click **View dataset** to explore your data.
-When the dashboard is ready, you’ll get a notification within the Power BI website. Use the link in the portal to the Power BI console after creating the dashboard.
For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
+
+## Create a Power BI dashboard from the Power BI portal
+
+1. Login to [Power BI](https://powerbi.microsoft.com/).
+
+2. Click **Get Data**.
+
+3. Select **Microsoft AppSource** > **My Organization** > **Get**.
+
+ 
+
+4. In the AppSource window, select **Apps** and search for Windows Defender Advanced Threat Protection.
+
+ 
+
+5. Click **Get it now**.
+
+6. Specify the following details:
+ - **extensionDataSourceKind**: WDATPConnector
+ - **extensionDataSourcePath**: WDATPConnector
+ - **Authentication method**: OAuth2
+
+ 
+
+7. Click **Sign in**. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
+
+ 
+
+8. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
+
+ 
+
+ >[!NOTE]
+ >Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load.
+
+ When importing data is completed and the dataset is ready, you’ll the following notification:
+
+ 
+
+9. Click **View dataset** to explore your data.
+
+
## Build a custom Windows Defender ATP dashboard in Power BI Desktop
You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.
@@ -93,9 +154,9 @@ After completing the steps in the Before you begin section, you can proceed with
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
-2. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+2. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
- 
+ 
3. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
@@ -112,9 +173,9 @@ You can use Power BI Desktop to analyse data from Windows Defender ATP and mash

-4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
+4. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
- 
+ 
5. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.